A Precedent to Remember: FBI Operation Removed Web Shells from Exchange Servers (Part 2)

Matt B
6 min readApr 15, 2021

This post is Part 2 of a two-part series examining the April 2021 FBI operation to remove malicious web shells from hundreds of systems per a court order.

Figure 0. Notes on notes

On April 13, 2021, we learned what I believe will be a monumental event for cybersecurity in the United States. The U.S. Department of Justice announced a “Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities,” detailing an FBI operation to remove malicious files from public-facing email systems. This operation technically commenced on April 9, 2021, per the documents provided. Based on the language in the DOJ’s announcement, it appears this operation has been completed and was successful.

I think this event sets some interesting precedent for the U.S. government’s response to cyber vulnerabilities. I’ve seen many opinions on this matter and felt it’d be best to describe my interpretation of the documents provided. This is part two of a two-part post, in which I’m going to examine the following questions:

  1. Did they access my system(s)?
  2. What cyber threat intelligence (CTI) can we pull from this operation?
  3. What do we do next?

There’s a good chance that I may not cover all the…

--

--

Matt B
Matt B

Written by Matt B

Be selective with your battles.

No responses yet