FBI ‘legitimately wipes out’ WebShell on compromised Exchange server

From January to February 2021, some hacker groups used the 0-day exploit chain (ProxyLogon) in the Microsoft Exchange mail server software to access email accounts, and placed WebShell on the server for remote rights management.

  FBI ‘legitimately wipes out’ WebShell on compromised Exchange server

After the vulnerabilities and patches were released, other hacking groups followed suit in early March, targeting Exchange servers.

FBI ‘legitimately wipes out’ WebShell on compromised Exchange server

Although many infected system owners have successfully removed WebShell from thousands of computers, there are still hundreds of servers running WebShell.

As a result, the DOJ announced on April 13, 2021, a court-authorized action that would authorize the FBI to first collect a large number of compromised Microsoft Exchange servers from hundreds of Microsoft Exchange servers used to provide enterprise-grade email services in the United States. Servers, copy the WebShells on these servers, and then delete the malicious WebShells on the servers.

 FBI ‘legitimately wipes out’ WebShell on compromised Exchange serverFBI ‘legitimately wipes out’ WebShell on compromised Exchange server

On March 2, 2021, Microsoft announced that a hacking group used multiple zero-day exploits to target computers running Microsoft Exchange Server software. Various other hacking groups have also exploited these vulnerabilities to install Web Shells on thousands of compromised computers, including those located in the United States. Because the WebShells the FBI needs to remove each have a unique file path and name, they can be more challenging to detect and clean than other general-purpose WebShells. As for how to clear it, you must know it all. After all, the server with WebShell has basically not patched the latest vulnerability patches, so…

FBI ‘legitimately wipes out’ WebShell on compromised Exchange server

The FBI sought to provide notices of court-authorized actions to all owners or operators of computers from which the hacker group Webshell was removed. For those victims with public contact information, the FBI will send an email from the official FBI email account (@FBI.gov) to notify the victim. For those victims whose contact information is not publicly available, the FBI will send an email from the same FBI email account to a provider believed to have contact information (such as the victim’s ISP) and ask them to provide notification to the victim.

In the FBI removal of WebShell on April 13, the Web Shell of an early hacker group was deleted. The FBI issued a command to the server through the Web Shell to delete it, in order to let the server delete only the Web Shell (by its unique file path). identification).

As shown in the figure below, execute the command (this operation does not represent the operation of other WebShells, only for one server)


In addition, foreign media recently broke the news that the FBI hired a company in 2016 to unlock a shooter’s iPhone, but Apple refused to cooperate with the unlocking. The company is Australian defense contractor Azimuth Security, which makes hacking tools for the U.S., Canadian and U.K. governments, and provided the FBI with a series of iOS exploits (Condors) to unlock iPhones. Now part of L3Harris Technologies, L3Harris acquired Azimuth and Linchpin Labs in April 2018.

And Linchpin Labs provides exploits to the FBI, intelligence services in Australia, and the United Kingdom and Canada. And the FBI once got an attack against the Tor browser from Azimuth.

The Links:   NL8060BC31-36 2DI75D-100