FBI acts to remove backdoors from hacked Microsoft Exchange servers

Microsoft Exchange backdoors could’ve lead to future cyberattacks, despite patches

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The FBI has executed a court-authorized operation to remove malicious backdoor web shells from hundreds ofMicrosoft Exchangeemail servers targeted in the recent spate of attacks.

The attacks exploited four zero-day vulnerabilities inMicrosoftExchange, collectively referred to as theProxyLogon vulnerabilities, that were first exploited by Chinese state-sponsored threat actors known as Hafnium. Even conservative estimates by security experts such as ESET pinned thenumber of compromised serversat over 5000.

According to reports, this is perhaps the first instance of the FBI sanitizing private servers in the aftermath of a cyberattack.

We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.

Click here to start the survey in a new window«

Backdoor removal

“This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals,” said Acting U.S. Attorney Jennifer B. Lowery of the Southern District of Texas.

The FBI is now trying to contact the owners of the servers that it has cleaned to inform them about the court-authorized operation.

Utilities such as Microsoft’sone-click toolhelped ensure a majority of the servers, several atsmall businessthat lack dedicated IT and security teams, could also plug the vulnerabilities.

However, security researchers soon discovered that the attackers had left web shells to return to the compromised systems for future actions.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Discovering and removing the web shells isn’t as simple as applying a patch, which prompted the FBI to act.

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” explains the Justice Department note.

Via:TechCrunch

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

This super-cheap HP Victus 15 gaming laptop just dropped to its lowest price yet