The US FBI has revealed it accessed hundreds of privately-operated Exchange Servers to copy and remove web shells that attackers placed on them to enable backdoor access.
In a statement, the US Justice Department said the action was designed to disrupt the actions of one specific group that was exploiting vulnerabilities codenamed Hafnium that were uncovered in March.
The department said multiple groups had exploited the vulnerabilities “to access email accounts and place web shells - pieces of code or scripts that enable remote administration - for continued access.”
When the vulnerabilities were disclosed and patched, more attackers also tried to exploit servers that remained vulnerable to the flaws.
“Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the department said.
“Today’s operation removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorised access to US networks.
“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”
The department added that the web shells the FBI removed “each had a unique file path and name”, which it said may have made them “more challenging for individual server owners to detect and eliminate than other web shells.”
The FBI said it had removed the specific web shells but it did not apply patches to the servers - given it does not own the boxes - “or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”
It also said it is now attempting to contact the owners of the servers, either directly or via an internet service provider.
Details of the remote access are contained in court documents that were unsealed today, although they are partially redacted.
The redactions cover the exact number of servers where backdoors were installed, potentially their physical locations, and also details around attribution.