In a veritable cyber-SWAT action, the Feds remotely removed the infections without warning businesses beforehand.
The Feds have cleared malicious web shells from hundreds of vulnerable computers in the United States that had been compromised via the now-infamous ProxyLogon Microsoft Exchange vulnerabilities.
ProxyLogon comprises a group of security bugs affecting on-premises versions of Microsoft Exchange Server software for email. Microsoft last month warned that the bugs were being actively exploited by the Hafnium advanced persistent threat (APT); after that, other researchers said that 10 or more additional APTs were also using them.
ProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware.
While patching levels have accelerated, this doesn’t help already-compromised computers.
“Many infected system owners successfully removed the web shells from thousands of computers,” explained the Department of Justice, in a Tuesday announcement. “Others appeared unable to do so, and hundreds of such web shells persisted unmitigated.”
This state of affairs prompted the FBI to take action; in a court-authorized action, it issued a series of commands through the web shells to the affected servers. The commands were designed to cause the server to delete only the web shells (identified by their unique file path). It didn’t notify affected organizations ahead of time, but authorities said they’re sending out notices now.
“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General John Demers for the DoJ’s National Security Division, in the statement.
Unilateral FBI Action Against ProxyLogon Exploits
Other technical details of the action are being kept under wraps, but Erkang Zheng, founder and CEO at JupiterOne, noted that the action is unprecedented.
“What makes this really interesting is the court ordered remote remediation of vulnerable systems,” he said via email. “This is the first time that this has happened and with this as a precedent, it likely won’t be the last. Many enterprises today have no idea what their infrastructure and security state looks like – visibility is a huge problem for CISOs.”
Dirk Schrader, global vice president of security research at New Net Technologies, noted that the FBI’s lack of transparency could be problematic.
“There are a few critical issues in this,” he told Threatpost. “One is the FBI stating the action was because these victims lack the technical ability to clear their infrastructure themselves, another is that it seems the FBI intends to delay informing the victims about the removal itself by at least a month, citing ongoing investigations as a reason.”
He explained, “This can cause other issues, as the victims have no chance to investigate what kind of information has been accessed, whether additional backdoors where installed, and a range of other concerns come with this approach.”
Monti Knode, director of customer and partner success at Horizon3.AI, noted that the action illuminates just how dangerous the bugs are.
“Government action is always predicated by an authority to act,” he said via email. “By specifically calling out ‘protected computers’ and declaring them ‘damaged’, that appears to have been enough to give the FBI a signed warrant to execute such an operation without notifying victims ahead of the operation execution. While the scale of the operation is unknown (redacted in court order), the fact that the FBI was able to execute in less than four days, and then publicly release this effort, demonstrates the potential national security risk posed by these exploited systems and the prioritized planning involved. This isn’t a knee-jerk reaction.”
This operation was successful in copying and removing the web shells, the FBI reported. However, organizations still need to patch if they haven’t yet done so.
“Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity,” Denmers said. “There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”
New Exchange RCE Bugs and a Federal Warning
The news comes on the heels of April Patch Tuesday, in which Microsoft revealed more RCE vulnerabilities in Exchange (CVE-2021-28480 through CVE-2021-28483), which were discovered and reported by the National Security Agency. A mandate to federal agencies to patch them by Friday also went out.
Immersive Labs’ Kevin Breen, director of cyber-threat research, warned that weaponization of these may come faster than usual, since motivated attackers will be able to use existing concept code.
“This underlines the criticality of cybersecurity now to entire nations, as well as the continued blurring of the lines between nation-states, intelligence services and enterprise security,” he added via email. “With a number of high-profile attacks affecting well-used enterprise software recently, the NSA are obviously keen to step up and play a proactive role.”
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.