A Precedent to Remember: FBI Operation Removed Web Shells from Exchange Servers (Part 2)
This post is Part 2 of a two-part series examining the April 2021 FBI operation to remove malicious web shells from hundreds of systems per a court order.
On April 13, 2021, we learned what I believe will be a monumental event for cybersecurity in the United States. The U.S. Department of Justice announced a “Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities,” detailing an FBI operation to remove malicious files from public-facing email systems. This operation technically commenced on April 9, 2021, per the documents provided. Based on the language in the DOJ’s announcement, it appears this operation has been completed and was successful.
I think this event sets some interesting precedent for the U.S. government’s response to cyber vulnerabilities. I’ve seen many opinions on this matter and felt it’d be best to describe my interpretation of the documents provided. This is part two of a two-part post, in which I’m going to examine the following questions:
- Did they access my system(s)?
- What cyber threat intelligence (CTI) can we pull from this operation?
- What do we do next?
There’s a good chance that I may not cover all the…