US FBI Removes Hundreds of Malicious Web Shells from Compromised Computers
The US Federal Bureau of Investigation have cleared malicious web shells from hundreds of vulnerable computers in the United States that had been compromised via the now-infamous ProxyLogon Microsoft Exchange vulnerabilities, many of which were removed without the businesses being warned beforehand.
ProxyLogon comprises a group of security bugs affecting on-premises versions of Microsoft Exchange Server software for email. Microsoft last month warned that the bugs were being actively exploited by the Hafnium advanced persistent threat (APT); after that, other researchers said that 10 or more additional APTs were also using them.
ProxyLogon consists of four flaws, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, that can be chained together to create a pre-authentication remote code execution (RCE) exploit. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware.
The number of patches being released and applied to address the ProxyLogon issue, neither help the staggering number of already-compromised computers. This state of affairs prompted the FBI to take action; in a court-authorized action, it issued a series of commands through the web shells to the affected servers. The commands were designed to cause the server to delete only the web shells (identified by their unique file path). It didn’t notify affected organizations ahead of time, but authorities said they’re sending out notices now.
“Many infected system owners successfully removed the web shells from thousands of computers,” explained the Department of Justice, in a Tuesday announcement. “Others appeared unable to do so, and hundreds of such web shells persisted unmitigated.”
“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General John Demers for the DoJ’s National Security Division, in the statement.