A Precedent to Remember: FBI Operation Removed Web Shells from Exchange Servers (Part 2)
This post is Part 2 of a two-part series examining the April 2021 FBI operation to remove malicious web shells from hundreds of systems per a court order.
On April 13, 2021, we learned what I believe will be a monumental event for cybersecurity in the United States. The U.S. Department of Justice announced a “Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities,” detailing an FBI operation to remove malicious files from public-facing email systems. This operation technically commenced on April 9, 2021, per the documents provided. Based on the language in the DOJ’s announcement, it appears this operation has been completed and was successful.
I think this event sets some interesting precedent for the U.S. government’s response to cyber vulnerabilities. I’ve seen many opinions on this matter and felt it’d be best to describe my interpretation of the documents provided. This is part two of a two-part post, in which I’m going to examine the following questions:
- Did they access my system(s)?
- What cyber threat intelligence (CTI) can we pull from this operation?
- What do we do next?
There’s a good chance that I may not cover all the pertinent details from this, so feel free to leave a comment or hit me up on Twitter, and we’ll discuss this further!
Did they access my system(s)?
This question presents the most challenging aspect of this operation, and is the one that should be examined by current and future information security professionals going. Let’s first address the concern of access and then examine how the FBI is handling communications.
(Un)authorized Remote Access
If your system(s) were in the list of systems presented in Attachment A (largely redacted, so I’m not going to screenshot here), yes, your system was accessed as part of this operation. Or, perhaps it’s better to say access to your system was attempted. You’ll need to confirm via logs or if the FBI ever publishes a list of targets vs. completion ratios, we will know in that release.
This is where the law gets tricky: Does a court order bypass other restrictions and requirements concerning remote access to a system? There’s a joke circulating amongst a few circles about whether remote access from an unknown party constitutes a violation in regulatory requirements.
Or, what about your own internal controls? Did you have change controls in place to allow this access? Here’s the venerable Rick Holland commenting on the situation:
Rick’s tweet made me laugh, but he raises an interesting point — this is the question of the day. How do we treat U.S. law enforcement accessing our systems and removing (read: impacting) data on the system? Without knowing the full scope (were these just government systems, or was private industry included?), this court order provides for law enforcement to remove files they deem as dangerous.
Here’s another take on the topic:
Jokes and sinister thoughts aside, we should all be asking a few more questions in response to this:
- Will there be future widespread cyber vulnerabilities deemed important enough that the U.S. government will setup a “Malware Eradication Task Force?”
- When we deploy an Internet-facing system within the U.S., such as a web or email server, are we automatically allowing the U.S. government to include it as part of their eradication efforts?
- Given the definition of a “Protected Computer” (as we examined in Part 1), what specifically defines a computer associated with “interstate and/or foreign commerce?”
- How many of us currently have Protected Computer(s) in our fleet, and do we know about them?
And perhaps the biggest question I have:
Without advanced notice, how is a SOC or incident response team supposed to treat web shell access and file manipulation?
There’s a Catch-22 in this final question — if the security team was not aware or could not remove the web shell(s) themselves, would they even be able to detect access, legitimate or not?
It doesn’t matter.
If your system(s) was in the list of impacted systems targeted by this operation, the FBI lists the steps it will take to inform you of this action.
A screenshot below details the efforts they will make to inform you:
It’s a bit of a step-through process, so I put together a quick mind-map to help explain it:
I give credit to the FBI/DOJ, they are seeking multiple avenues to inform system owners of the operation. However, this is also setting up a ripe phishing opportunity! Check out this line in particular:
Those of you with non-private emails on WHOIS records, remain vigilant. You might have some interesting phishes coming your way!
What cyber threat intelligence (CTI) can we pull from this operation?
Unfortunately, despite a wide-reaching operation like this, there is little unredacted CTI data that isn’t already widely known. I’ve summarized what I could amass from this document below:
- Most CTI practitioners were already aware of Microsoft’s blog identifying the HAFNIUM threat actor. Not new.
- The patterns and file names corresponding to the web shells were also widely known, and overall were not “new” pieces of malware. Not new.
- The affidavit did not redact Microsoft’s claim that HAFNIUM is China-based. Not new, but an interesting line to leave in. I also really want to know what was redacted!
- The list of impacted IP addresses, domains, and specific web shell names were redacted. This information is still accessible via an Internet scan, but I would not recommend kicking one off. Not new.
Overall, this operation didn’t provide any new details for CTI analysts without removing redactions. However, I’ll add that open source research can likely fill in much of the blanks, if one was so inclined.
What do we do next?
Regardless if your system was impacted by this operation or not, my advice to you remains the same:
- Patch, patch, patch. This operation did not patch systems, it merely removed known web shell(s). Patching is still your responsibility.
- If you were not impacted by this operation, I don’t think that means you’re in the clear. I’d still recommend following the advice of numerous blog posts out there (resources below) on what to do next.
- Remain vigilant; operations like this pose a unique opportunity for attackers to craft phishes or, even worse, masquerade as the FBI accessing your web shell.
- On April 13, 2021, Microsoft released a new round of Exchange Server vulnerabilities. Details are here. Go patch again!
I think this operation set some interesting precedent for response to cyber vulnerabilities, and everyone in information security should focus on the power exercised to put this into motion.
I won’t yet say if this is a good or bad precedent; only time, or future use of this operation as an example, will tell.
Microsoft Blog on HAFNIUM: HAFNIUM targeting Exchange Servers with 0-day exploits — Microsoft Security
Microsoft Blog on Exchange Attacks: Analyzing attacks taking advantage of the Exchange Server vulnerabilities — Microsoft Security
CISA Alert AA21–062A: Mitigate Microsoft Exchange Server Vulnerabilities | CISA