UPDATED 22:38 EST / APRIL 13 2021

SECURITY

FBI hacks compromised Exchange servers as more companies get targeted

In a possibly unprecedented move, the U.S. Federal Bureau Investigation has obtained a court order to allow it to hack compromised Microsoft Corp. Exchange Servers to remove vulnerabilities as more stories of Exchange servers being targeted continue to emerge.

The court order allowed the FBI to copy and remove malicious web shells from hundreds of vulnerable computers that were compromised by so-called Hafnium attacks first revealed by Microsoft security researchers March 2. Hafnium was described at the time as Chinese state-sponsored hackers targeting a number of recently identified vulnerabilities for which patches had been issued.

Patches being issued and patches being applied by Exchange users, however, are two different things, and despite widespread publicity about the need to apply the patches, many users have not — thus the FBI’s appearance.

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks,” the U.S. Department of Justice said in a statement. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell.”

“While the scale of the operation is unknown (redacted in court order), the fact that the FBI was able to execute in less than four days and then publicly release this effort, demonstrates the potential national security risk posed by these exploited systems and the prioritized planning involved,”  Monti Knode, director of customer and partner success at penetration testing company Horizon3.AI Inc., told SiliconANGLE. “This isn’t a knee-jerk reaction.”

Others were concerned about the implications of the FBI hacking other computers.

“I wonder what the implications would be for any potential damages that occurred with removing the web shells,” said Rick Holland, chief information security officer and vice president of strategy at digital risk protection firm Digital Shadows Ltd. “The FBI did conduct an ‘internal FBI testing process’ and also consulted with an ‘outside expert,’ but anyone that has worked in IT knows that when you remove software, there can be unintended consequences, such as bricking a server.”

Cryptomining

The FBI’s announcement comes on the same day that cybersecurity researchers at Sophos Group plc reported that threat actors have been targeting Exchange servers. They sought to leverage what the researchers called a ProxyLogon exploit to install Monero cryptomining code on compromised Exchange servers.

“It stood to reason that the Microsoft Exchange server vulnerabilities would be leveraged toward a broad set of nefarious ends,”explained Oliver Tavakoli, chief technology officer at AI cybersecurity firm Vectra AI Inc. “What makes this example interesting is that having hacked into one such Exchange server, the attacker staged a cryptomining package on it and when hacking into other Exchange servers simply retrieved the package from the staged location.”

One problem, Tavakoli added, is that firewalls are unlikely to block traffic between Exchange servers and may even give such traffic a pass.

Patch Tuesday

Also released today was Microsoft’s monthly Patch Tuesday updates. With the vulnerabilities in Exchange gaining so much attention, it’s a pertinent reminder of the importance to run updates when they become available.

Notable in the Patch Tuesday release this month are patches for four new critical Exchange Server vulnerabilities, formally named CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483. All four were credited to the National Security Agency.

“These vulnerabilities have been rated ‘Exploitation More Likely’ using Microsoft’s Exploitability Index,” Satnam Narang, staff research engineer at cybersecurity company Tenable Inc., explained to SiliconANGLE. “Two of the four vulnerabilities — CVE-2021-28480 and CVE-2021-28481 — are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw. With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately.”

Photo: J/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU