The Federal Bureau of Investigations (FBI) has accessed and helped clean up hacked Exchange servers using backdoors created and used by criminals after gaining unprecedented legal authority from US courts.
The agency accessed only hacked Exchange servers that were physically located in the United States.
Cyber criminals targeted thousands of vulnerable Exchange servers around the world over the six weeks since Microsoft disclosed critical flaws in the platform that allow hackers to steal data and implant backdoors.
Many of these groups created backdoors in the servers they attacked, gaining a foothold that would not be removed should system administrators patch the exposed vulnerabilities the groups initially exploited.
The FBI was able to access and remove those illegal backdoors because it had obtained the common password some hacking groups had applied to login into their hacked machines.
“Many infected system owners successfully removed the web shells from thousands of computers [while] others appeared unable to do so,” the US Department of Justice said in a statement.
“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorised access to US networks.”
The FBI issued commands through the backdoor web shells that deleted only the web shell.
It is the first time a law enforcement agency is known to have cleaned up machines using hacked access, but not so for internet vigilantes who have on multiple occasions issued commands to huge botnets in a bid to wrest control of infected computers from criminal hackers.
Such moves, while temporarily effective at hindering cybercrime, are dangerous because they could cause significant disruption.
Multiple hacking groups attacked the vulnerable Exchange servers including the Hafnium group which targeted a wide variety of US sectors from infectious disease research to education and defence, allegedly at the behest of Beijing.
Many organisations used Microsoft’s hosted Exchange service rather than running servers in-house.
However, the Federal Government’s Australian Cyber Security Centre (ACSC) said last month it identified “extensive” targeting and compromises of Australian organisations that ran vulnerable Exchange servers.
Hacking groups were quick to attack exposed Exchange servers that had not had the requisite security patch applied.
Microsoft stepped in to help with a tool that could when run find tell-tale signs of compromise, remove any backdoors, and patch the exposed vulnerabilities.
The FBI did not conduct any such clean-up in its operation, however, and removed only the backdoor which the agency and hacking groups used to access the servers. It left systems unpatched and a any malware undisturbed.
The National Security Agency, the chief US spy agency, this week reported new dangerous flaws in Exchange Server 2013, 2016, and 2019 that allow attackers to execute code. These flaws also only affect on-premise servers.
The FBI’s cleaning efforts could be short-lived should cyber criminals wise-up to the risk the agency and other law enforcement agencies might access and remove any backdoors they create using this week’s vulnerabilities that have shared passwords.
The ACSC warned administrators to patch the latest flaws and noted a large undisclosed number of Australian organisations have not yet done so.