FBI deletes web shells from hundreds of compromised Microsoft Exchange servers before alerting admins The FBI deleted web shells installed by criminals on hundreds of Microsoft Exchange servers across the United States, it was revealed on Tuesday. The Feds were given approval by the courts to carry out the deletions, which occurred without first warning the servers' owners, following the discovery and exploitation of critical …
I think the FBI should have phoned all of the affected users.
"Good morning, this is Jim from the FBI, and we found some malware installed on one of your servers. We are offering a free patching service to everyone affected. If you would like us to proceed, just start up TeamViewer and enter this code."
Not as dangerous as you might think. A court had to approve it, with a paper trail of people and agencies to file lawsuits against, in case something went horribly wrong.
Back during the 'Code Red' infection, the malware resided in memory but not on disk, yet it opened up a CMD shell accessible via a listening TCP port. So if someone (nobody I know of course) were to get an infection attempt from "some IP address", that person could have written a bot (but nobody did this, it's probably not legal) to use the CMD back door to shut down the web server and make the virus go away. Of course the machine would get infected again as soon as one of the many code red bots detected it, so the only REAL fix was to patch or shut off the web server.
Similarly here, except the FBI got court approval first and apparently had a list of IP addresses to work with already (a court would require this).
I'm not complacent about this action, but it's significant that they did get a warrant – so they had legal authorization and satisfied the Fourth Amendment requirement – and they only got into the servers because malware was already installed on them, which means those sensitive documents were likely already in someone else's hands anyway.
The government knows best and we work for you. In ye olde days, there were book burnings to try to wrest command and control back from the starved of information and advanced intelligence masses to a self chosen almighty vulnerable few.
* Well, of course you can, and why wouldn't you whenever you know they are capable of looking out for you so diligently, and are enabled by approval to be able to act autonomously on your behalf. Quite whether you would agree and accept that as a good thing in their remit is a whole other different matter.
Methinks that sort of little leak is the fatal vital straw that causes the hoovering dams to burst.
Since when did the FBI give a shit about the precise details listed on warrants? They found an excuse to convince a Judge to let them in, the Judge agreed, they went in, took copies, poked around to see how much more than the email system they could access, made copies of all that, and then fixed the bug. The only question remaining is did they leave behind another, more private, backdoor in some or all of the affected servers? Perhaps turn back on the disabled Intel Management Engine on select systems?[0] It's kind of what they do, after all ...
[0] When was the last time you checked the status of yours?
"and then fixed the bug"
Clearly you didn't bother the read the article. Not only is most of what you state as fact merely assertion on your part, but the bit quoted above is specifically mentioned in the article to NOT have been done. The "bug" is still there, the servers are still vulnerable. The feds only removed the infection.
[0] When was the last time you checked the status of yours?
My Blackbird desktop doesn't have a Management Engine. It also doesn't run Windows or commercial games [1].
Such a nice feeling though, not having a known backdoor.
[1] I have another computer for the few games worth playing these days. As far as its Management Engine is concerned, "gamer1" only visits Steam forums and the like.
Warrant hearings are before magistrates with only the applicant being present (so nobody to argue against issuing the warrant). The applications frequently misrepresent the facts, exaggerate and are very selective in the information provided.
For some applications for warrants in the UK, magistrates courts are used, but often the applications are, or were, on paper, and the magistrates have so many to sign that they often do not read each one*. Higher courts can also issue warrants, and I suspect that in the USA, an application for a warrant to delete malware from privately owned computers without the owners' knowledge would have to be provided by a senior judge, particularly if it applied over several states.
I do wonder, however, what evidence the FBI said they would use to ensure they were only accessing the correct computer systems, and what records they kept of the justifications for each system and what they actually did. I suspect that the System Administrators of the affected systems would be most interested to know. Off course, it could be covered by the MS licence agreement small print, after all, who reads that?
*A family member was a lay magistrate and was often confronted with a pile of warrant applications from the police to sign quickly when she turned up on a Monday morning.
Not "essentially a warrant" – it was a warrant. It's unsealed now and mostly redacted; the article contains a link to the FBI announcement, and the announcement has a link to download the unsealing order and the related documents. They're right there to be read.
The warrant is pretty specific. It was signed by Magistrate Judge Peter Bray of the US District Court, Southern Texas. FWIW, Bray has an engineering degree, and he was a Public Defender for 14 years.
The warrant says it was requested by telephone, and it was issued the day it was requested, so it's not like Bray spent a lot of time agonizing over it. But I don't see any grounds for claiming it was just rubber-stamped.
(I know. What kind of a nerd does actual research before commenting?)
This is the first time I've ever heard of this type of action by the federal government. I'm not sure why this was done secretly, not even notifying at least the website owners ahead of time.
It would be interesting to hear more on why the FBI thought the action justified: the article seems to imply that it might be under national security purposes?
I can't say for sure, but sounds like they removed the shells and possibly notified the companies at the same time/shortly after (likely with a demand for secrecy). Just that the sealed order has now been unsealed, giving all the cleaned and warned parties a tiny fighting chance to sort themselves in the meantime.
A South Texas attorney?
As long as an attorney is able to argue cases in Federal court (passed whatever bar exams, etc.), that should be fine, yeah. It's also possible that the FBI hired a private attorney, or has a law firm under contract. This would not be unusual, really. However you would normally expect a government attorney to argue such cases.
Was this approved by a state judge and therefore were all of the servers in Texas?
No. Seriously, the answer to this question is right in the links in the article. You can't take a few minutes to check?
I admit the phrasing in the article is ambiguous: "The action was OK'd ... by a Texas court" is true, in the sense the court is in Texas, but it's not a court of the State of Texas. It's the US District Court for the Southern District of Texas. The servers were in several states. From the warrant application:
19. The presumptively U.S.-based Microsoft Exchange Servers, corresponding to the approximately web shells in Attachment A appear to be located in five or more judicial districts, according to publicly available Whois records and IP address geolocation. These districts include, but are not limited to, the following: Southern District of Texas, District of Massachusetts, Northern District of Illinois, Southern District of Ohio, District of Idaho, Western District of Louisiana, Northern District of Iowa and Northern District of Georgia.
I wonder how much Microsoft paid the feds for their services here? I don't see any mention of that. In fact, the article comes across like they didn't pay and are effectively using the gubmint as a free security / triage / mitigation tream.
I'll have to talk to some of the small businesses I work with. They'll be thrilled to be able to call the gubmint to have their virus scans done for free. They're always complaining about how I expect to be paid for services like that.
Try the other way around,... sure microsoft we'll take care of this lil issue for us... here is some tax dollars, let us into these servers... never mind that we will rummage around/plant "evidence" to make us look good..
Claims that the FBI are behind it: https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft
Sounds like a bunch of old NSA backdoors got discovered and now they need the Feds to go around and plant new, unknown ones to maintain their status quo.
Even the courts are in on it now.
The status quo has just shifted and it's not in a better direction.
As in most countries, the biggest Criminals are the Government & their friends. ..... Anonymous Coward
Now that is an observation and accusation that the present Boris Johnson fronted Tory Party gang/cabal/government are most anxious to not be discovered and exposed by a quasi-independent Westminster Parliamentary inquiry before a cast of their peers, in a copy-cat mirror of the recent, excellently transparent and wonderfully well live-televised/broadbandcast Scottish Parliament Holyrood Inquiry investigating the shenanigans surrounding Nicola Sturgeon and Alex Salmond.
For any thinking that better lessons and unpleasant hidden truths can be learned with a trialing and trailing of anything else lesser, they would be very much mistaken, and have one thinking that they would have much to hide from general knowledge and mass public view should they choose to reject and oppose it ...... and that would make them somewhat complicit in and possibly probable accessories to any and all facts that would subsequently be teased to the surface of the swamp.
What a stinking mess they have made for themselves.
One does have to wonder at what the police and the military and the intelligence services are going to do about, or whether they are to be recognised as a toothless paper tiger doing nothing at all honourable?
So now the 'good' guys and the bad guys both get to tamper with your systems without warning. Time to install some pretty strong protective proxy between you and the entire planet.
Ultimately, security should be the responsibility of the system owner. That's the only safe place to be provided the necessary understanding and resources are in place. Government agencies should be providing the understanding and resources, not tinkering arbitrarily with your kit.
Hint:
Don't run computers that let unauthorised people run commands on them.
This stops not only these kinds of actions, but also the problem in the first place.
While I agree that the responsibility should be your own, I see no reason with, say, permanently cutting off the Internet of infected machines at the ISP level until they are showing no more malicious traffic.
PlusNet in the UK used to block your web etc. access if they detected an open Samba port on your Internet-side. I think this is perfectly reasonable. I think it should be extended to "you're running a business mail server that's known-compromised and hasn't been patched in years", they just block your IP access and replace all HTTP pages with "Your network has been compromised, and as your ISP we have blocked your access. Contact us for information on how to resolve this block".
Maybe then people would wake up and fix their stuff in a timely manner.
Precisely Lee. So many people bitching and moaning that the Government is accessing systems, when the systems have already been compromised and accessed. They are slightly better off than before for the action. If they feel they are worse off then they should have patched the exploit and removed the shells themselves when they had the chance. At least the government are trying to tell the owners of these systems that they're vulnerable.
I wondered about this as well. Why didn't they just get a court order to threaten turn off said companies internet connection in X days if they fix the problem. You can lose your freedom for petty misdemeanours, why not just lose your link until you have shown that you can fix the problem.
Going in and modding somebody's server - no matter how bad the situation or good the intentions is an awful precedent to set.
Whose bloody country ? The good guys will tamper with your computer if it's in the national/their interest. Always have done, always will do. The time to install strong security was forever ago, and it still won't keep anyone determined, good or bad, out. If your takeaway from the feds removing one piece of malware from your computer is that you need better security, you're not wrong, but you're not competent.
With just two simple transpositions, is something from elsewhere yesterday rendered extraordinarily prescient quoted here today.
How about upping the ante and nailing the tail on the donkey with the tell-all tale ofBellingcatFBI looking far more like a bunch of crooks masquerading as wannabe spooks in the disguise of rotten two-faced reporters to the core rather than sugaring the poison pill with a similarBellingcatFBI looks far more like a bunch of spooks masquerading as citizen journalists than a people-centered organization taking on power and lies wherever it sees them. Unfortunately, with many of its proteges travelling through the pipeline into influential media outlets, it seems that there might be quite a few masquerading as reporters as well.And should it be a fact that
UK SISUS NSA are supporters ofBellingcatFBI, one would have to conclude that their secret intelligence service[s] is[are] in dire straits need of Novel Info and Noble Intel and NEUKlearer HyperRadioProACTive IT Sources for unparalleled unhindered success in the CyberIntelAIgent Space Domain ....... Captivated Hearts and Captured Minds Environment.
Do you know what all that means for everything and anything everywhere and anywhere that would both know of and enjoy and employ the Perils and Joys of Parallel Travel Paths and Singularities ..... apart from yet another COSMIC* Systems Capture for Alien Beings
COSMIC* .. Control Of Secret Materiel in an Internetional Command
... how does it feel that the FBI just traweled through the complete contents of your email system, and anything else that can be accessed through it?
Yes, I know, they'll claim they didn't look at anything, and they didn't keep copies of anything, and they didn't plant private backdoors on anything, not even the juicy targets ...but c'mon, that's what they do! It is their entire remit. You know it, I know it, and the FBI knows we know it. And yet you STILL apologize for Redmond's piss-poor security and continue to use it?
Wow. Just wow.
It's pretty sad that the first reaction to feds doing stuff like this is that they're sneaking in and adding their own spyware. More of a condemnation of the feds to have let their reputation slip so far.
The saving grace is that they (allegedly) did this using the malware itself, not the holes in Exchange. If you weren't already being attacked by malware authors and had failed to remove the web shell yourself, they (allegedly) did nothing. Presumably people cynical about the feds would have already done this.
"The saving grace is that they (allegedly) did this using the malware itself, not the holes in Exchange. If you weren't already being attacked by malware authors and had failed to remove the web shell yourself, they (allegedly) did nothing. Presumably people cynical about the feds would have already done this."
This! The tinfoil-hatters with their kneejerk responses seem to be out in force today. It's be nice if they took a few seconds to at least skim the article instead of spouting made up "facts". Some of what they are spouting may well be true, but they are still only assertions.
"The Feds are trawling and copying"
"The Feds are taking my data"
As I read it the FEDs appear to have sent a command via the web shell specifically to kill the malware (perhaps a malware self sanitise instruction). Discovery of the presence of the infection could be as simple as monitoring phone home pings with no need to have direct access to the infected server at all. Similarly the kill command could be sent under the guise of the c&c server to turn the malware on itself ...
I may be wrong but it seems that the "conspiracy theories" possibly fit this story less well than good old "trying to do the right thing" ...
It's not just you. But you know what el reg's forums are like...
Micro$ofT = BaD!!11!
FBI = DoUbLE BaD11!
Therefore they must have gotten in, cloned all your "very interesting email" and let themselves out, rather than just deleting the web shell.
All hail linux ect. etc.
Does the National Cyber Security Centre need a warrant to do this in the UK or does it already have the power, maybe by royal prerogative or the post-Brexit powers? How about elsewhere? And has the FBI worked on American companies' overseas servers or only ones within the US?
I wonder how the FBI determined that all of the servers they accessed where within the USA? I'm pretty sure that there are a bunch of servers that resolve to USAian IP addresses that are not within the US courts jurisdiction, e.g. foreign embassies. But I'm sure that the FBI checked on the details of every server in detail before 'helping' and any overstretch was purely accidental.
This makes me feel a little uneasy about the FBI overstepping the mark, but I think some people here are misinterpreting the story. They didn't patch any server, they just removed the malware. And if the FBI were going to install their crap, or steal info, would they go to court, be granted permission by a judge, do the deed, then tell the owners and the world's press afterwards? I think not.
This was almost certainly a national security issue, on which the FBI had to act quickly. If a team of Russian spies was rummaging around a Lockheed Martin office stealing missile designs, the feds would get round there and stop them. If they didn't, they'd be castigated for their inaction. In principle, this is no different - they have an obligation to stop a crime in action, especially when it involves national security.
It does leave me feeling uneasy, but I don't think there was much of a choice. The alternative is to let the bad guys steal top secret info and use it against US and / or its allies.
The alternative is simple : inform the affected parties *before* you do this, with a clear indication that inaction will result in either the feds will kill webshells on <date>, or in the feds contacting your ISP to block your IP until you have patched the bloody thing.
How many emails does one get that purport to come from organisations such as the FBI?
They go straight in the Spam folder. So unfortunately that course of action will be ineffective.
===
The only improvement on what they did that I can think of, is to do what Lee suggests, which is to get the ISP in each case to block relevant ports.
Re: Alternatives, jgard ..... if not the Russians, one can always try blaming and shaming the Chinese for such diligent enterprise. It a common default position for faulty default ridden systems. And some already have tried exercising that leap ........ as some always do. Does anyone care to mention and speculate on whom?
Microsoft announced a massive breach of its Exchange email platform in early March, saying that a zero-day vulnerability in the servers had given “long-term access” to hackers. The attack was attributed to a group dubbed Hafnium – an allegedly “state-sponsored” outfit operating out of China. ..... https://www.rt.com/usa/520953-fbi-microsoft-hafnium-exploit/
Or, instead of your Point 1., The FBI has been aware of this issue and thinks it's enough of a threat to national security that they threw together a tool to search for Exchange servers that were infected. After all, there are resources out there on the internet you can easily find and use to locate "open" baby monitors, web cams and all sorts of stuff that the owners have not secured. Anyone who reads El Reg reasonably frequently already knows this.
Taking your post one step further, my feeling is that such a tool was regarded as a long-term investment for them. It may have been in existence for some time prior to this outbreak, and will no doubt come in useful again in the future. No doubt it is a regular spider observed at regular intervals by mail admins (gosh, I sound like Attenborough: it's one creature that is unlikely to go extinct though).
I guess the real world analogy would be if the police noticed a business premises had been broken into and was being used a criminals to store drugs, I am sure they could go to court and get a warrant to go in the business and remove the drugs and seal it up so i can't be used again by the criminals.
Although the issue of when the owner is informed of the police getting involved is a one that could be debated
I could have this wrong, but I think if you patched your Exchange server but it already had the malware put on it, it's still there. Until the FBI deleted it.
Some alternative possible (not necessarily legal) actions for them:
Rename the malware file from NAUGHTYTHINGS.EXE to NAUGHTYTHINGS.FBI to inactivate it. (But that file might exist already.)
Drop a copy of the EICAR not-virus named GOOGLE-FBI-CVE-2021-26855.EXE. Sometime, someone will notice.
Replace the actual malware with FBI-ARE-WATCHING-YOU.EXE which reports on attempts to connect.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
