U.S. D.O.J. in Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities - Website Security for Webmasters forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

U.S. D.O.J. in Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities

engine

10:30 am on Apr 14, 2021 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

The U.S. Justice Department has taken steps to authorize an operation to copy and remove malicious web shells from vulnerable Microsoft Exchange Server software.

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”

[justice.gov...]

Earlier story

Microsoft Exchange Server Updates Resolve 0-Day Vulnerabilities [webmasterworld.com]

lammert

10:52 am on Apr 14, 2021 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path). (...) This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.

So basically the FBI was using the remote access functionality of one variety of malware to remove that specific malware. But they didn't patch the security issue in Exchange. That means that un-patched Exchange installations are still vulnerable for new attacks. And nothing changed for those who have been infected by other hacker groups.

not2easy

2:13 pm on Apr 14, 2021 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

I just read about an Microsoft Exchange Email app vulnerability: [cbsnews.com...]

The National Security Agency (NSA) said Tuesday that it had alerted Microsoft to "a series of critical vulnerabilities" in the Microsoft Exchange email application, prompting the company to issue a new patch.

In a blog post, Microsoft said it had "not seen" the vulnerabilities used against its customers, but urged users to install timely updates.

There may be more to do after the Patch Tuesday thing: [webmasterworld.com...]

engine

2:20 pm on Apr 14, 2021 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

The whole issue over Exchange Servers is a mess, and I wonder how much of it is to do with sloppy coding or failing to react fast enough when discovered, or a combination of both.

So basically the FBI was using the remote access functionality of one variety of malware to remove that specific malware. But they didn't patch the security issue in Exchange.

It seems an odd way around, but I guess the FBI isn't placed to fix the software.

lammert

9:47 pm on Apr 14, 2021 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I understand that the FBI is not the organization to fix holes, but why just fixing one small part of the problem? Or do they want to tell the world "Look what we can do"? It would be better IMO if they just scanned the internet and warned the owners of vulnerable installations in person.

Regarding the Exchange servers, I agree it is a mess. The first target was the Microsoft Office suite about 20 years ago. Then came the browser and operating system as target. After those holes were closed hackers found flaws in the RDP protocol. I expect the problems of Exchange to be much bigger than in the other software. Exchange has a massive attack surface with several connection protocols and lots of legacy code in a monolith piece of software.