What Cybersecurity Pros Must Know About FBI’s Web Shell Removal

Since December 2020, U.S. law enforcement and other government agencies tasked with protecting the nation’s IT networks and infrastructure have faced a pair of daunting cybersecurity challenges.

This first was the SolarWinds supply chain attack, where nation-state hackers used a Trojanized software update within the company’s Orion network monitoring platform to target 100 private firms along with nine federal agencies. The second major incident was a series of attacks where hackers exploited multiple vulnerabilities within on-premises Microsoft Exchange email servers.

In the case of SolarWinds, the Biden administration has tried to address the issue partly through sanctions that targeted Russian attackers that the White House says are responsible for the incident, as well as companies and individuals who may have helped or supplied services to those who did the actual hacking.

In the case of the Exchange attacks, however, the U.S. government took a different approach. On April 13, the FBI obtained a court order from the U.S. District Court for the Southern District of Texas in Houston that allowed agents to go into an unspecified number of private networks to remove some of the malware used by the attackers.

As part of the court order, the FBI was then allowed to remove web shells—code or scripts that enable remote administration—from Exchange servers that had been targeted or compromised. The bureau did not notify the companies and organizations that owned on-premises email systems, but the U.S. Department of Justice has been attempting to contact those affected.

Some legal and cybersecurity experts believe this may have been the first time the FBI had taken these types of legal steps to address an ongoing cyberthreat. Analysts say a 2016 change in Rule 41 of the Federal Rules of Criminal Procedure paved the way for the bureau to go into private networks to hunt for malware (or in this case, malicious web shells).

And while some applaud the FBI for taking a bold step, there is concern about giving a law enforcement agency access to private networks, even when the intentions are designed to stop attacks and eliminate malware and other malicious activity.

“I think this means that cybersecurity is starting to become recognized as a critical issue on the national stage,” Drew Schmitt, principal threat intelligence analyst at GuidePoint Security, told Dice. “For the FBI to take such an aggressive and direct action against these web shells, it clearly means that they felt that the threat of these web shells on so many Exchange servers was high enough for the United States that it required a special level of mitigation we haven’t seen used thus far.”

Schmitt added that the issue does raise a host of privacy, legal and cybersecurity questions that organizations and their IT and security teams are going to have to wrestle with going forward.

“The intentions of the FBI were good and they aimed to mitigate a widespread threat affecting many organizations in the United States. But with this action comes concerns of setting precedent for the FBI to access systems whenever deemed ‘necessary’ and unintended negative consequences of removing malware without authorization from the host company,” Schmitt said. “There should be a conversation around guardrails, standards and some form of consent from host organizations whether that be from an opt-out type program or otherwise. Finding a blended solution that honors both privacy and security would be an effective solution for all parties involved.”

Size and Scale

By some accounts, as many as 68,000 on-premises Exchange servers could have been attacked starting sometime in February, when attackers began exploiting four zero-day vulnerabilities. Microsoft originally attributed the first wave of attacks to a threat group it calls Hafnium, which the company suspects operates from China. Other security researchers later found other threat groups and cybercriminal gangs also taking advantage of the flaws.

To date, neither the FBI nor the U.S. Cybersecurity and Infrastructure Security Agency have publicly attributed the attacks to one group or nation-state.

What the court in Texas allowed FBI agents to do once they identified compromised Exchange servers was to access and enter a password for the web shells. The bureau also made a copy of the web shells as evidence before deleting them.

The FBI stressed that it did not patch vulnerable Exchange servers or remove other malware or malicious tools within these systems and networks.

In the court documents, an FBI agent noted that one reason why the bureau had taken these steps is that “most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own.”

It’s this view that makes some security experts question whether enough is being done in the private sector to protect networks when the dangers are so obvious.

“The FBI took matters into their own hands to remediate the threat,” Tal Morgenstern, co-founder and chief product officer at Vulcan Cyber, told Dice. “Every security and IT organization has change controls in place. For the FBI, they decided to sidestep any change controls in place using a court order and a search warrant to stop the bleeding and secure these servers. In my opinion, the FBI made the right move and we need to see more proactive steps taken to remediate the vulnerabilities we know are out there threatening both our national and corporate interests.”

Erkang Zheng, founder and CEO at JupiterOne, believes that IT and security leaders and their teams—whether their organizations were affected by Exchange attacks or not—should use this opportunity to get a better handle on what systems and applications are living off their networks and take inventory.

“Knowing what you have in your environment, from servers such as Microsoft Exchange to the details of what’s running on them at any given time, is a fundamental necessity to cybersecurity operations,” Zheng said. “However, this can often be very difficult to do well, especially at scale. The recent actions by the government are drastic and unprecedented for sure, however, it was probably necessary. I think we will see similar actions again in the future. It should serve as a warning bell for organizations to cover the basics.”

These Times Are A-Changing

And while the FBI’s legal actions to address possible threats from the Exchange attacks are new territory for the bureau, other law enforcement agencies are experimenting with similar tactics to cybersecurity problems.

Earlier this year, Europol, the EU’s law enforcement intelligence agency, led an international effort to disrupt the Emotet botnet, which was considered one of the most dangerous malware strains operating throughout the world. 

As part of this effort, Europol and other law enforcement agencies in Europe developed a malware model that was sent to victims’ devices to remove the Emotet malware from infected devices. This then allowed police to disconnect devices from the botnet in April.

Dirk Schrader, global vice president for security research at the software company New Net Technologies, believes that the actions by the FBI and Europol will not only continue, but also force IT and security teams to reconsider what is happening to their networks and who is really in control.

“It seems likely that law enforcement agencies will attempt to do more of these clean sweeps for national security reasons, and it is a promising alternative to any discussion about hacking back. While a good move overall, there are a few elements which need to be understood and verified from a company’s perspective,” Schrader told Dice. “For instance, the removal of an exploit from systems by law enforcement either without or with late information provided to system owners inhibits proper forensic analysis of affected devices for traces of additional backdoors or about what data has been accessed.”

GuidePoint’s Schmitt noted that IT and security pros need to be reminded that they are part of a larger, much more interconnected community now.

“Until now, most cybersecurity professionals, systems administrators, and other IT professionals likely viewed their jobs in relation to the organizations they worked for. As we are seeing with attacks on these Exchange vulnerabilities, we are part of a larger community that can have a larger impact on cybersecurity through information sharing and keeping our respective networks patched and up to date,” Schmitt said. “As we all reduce the ability for threats to infiltrate our networks, we contribute to an improved cybersecurity posture at a national level.”