The court-approved operation eliminated “malicious web shells” from hundreds of vulnerable computers.
The Justice Department on Tuesday revealed that the FBI undertook a court-approved operation to remove “malicious web shells” from compromised Microsoft Exchange email servers in the US. The web shells are snippets of code that act as backdoors and could have allowed continued unauthorized access to emails and US networks, said the DOJ.
In early March, Microsoft released an emergency security update for its Microsoft Exchange email and communications software, patching a security hole in versions of the software going back to 2013. There were signs that at least 30,000 organizations across the US may have been hit by hackers who stole email communications from their systems.
While many server owners were able to remove the malicious web shells, the DOJ said “others appeared unable to do so, and hundreds of such web shells persisted unmitigated.” The FBI obtained a search warrant to access compromised Exchange servers, copy the web shells as evidence and then remove them from the servers.
Authorities requested that the warrant be sealed until the operation was complete. The FBI is now attempting to notify all owners and operators of computers it accessed to remove the web shells, according to the release.
“This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals,” said Jennifer B. Lowery, acting US attorney for the Southern District of Texas, in a release. “We will continue to do so in coordination with our partners and with the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyber breaches.”
The Justice Department said the operation was “successful” but noted that it didn’t patch any other vulnerabilities or remove additional malware that may have been placed on servers by hackers using the web shells.
On Tuesday, Microsoft released patches for more than 100 security vulnerabilities, in software including Windows 10, Microsoft Exchange, Microsoft Azure and Microsoft Office, as part of its monthly Patch Tuesday security update.