FBI Removes ‘Malicious Web Shells’ Tied to China-Linked Microsoft Hack

The Justice Department announced a “court-authorized operation” by the FBI to copy and remove “malicious web shells” from hundreds of U.S. computers in response to the massive cyberattacks against Microsoft’s Exchange Server, which the Big Tech company has assessed are being carried out by a sophisticated Chinese state-backed hacker group and others, Washington Examiner reports.

Microsoft detected “multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks,” the company said in an early March announcement, adding that its Threat Intelligence Center attributed the cybercampaign with “high confidence” to a hacker group dubbed “Hafnium.”

Microsoft said the hacker group was “state-sponsored” and operating out of China. The Microsoft Exchange Server handles the company’s email, calendar, scheduling, contact, and collaboration services.

The Justice Department said Tuesday that in January and February, hacking groups accessed Microsoft email accounts and placed web shells, pieces of code that allow outside actors to take remote control, to continue and expand their access and that other hacking groups soon joined in after the vulnerability was publicized last month.

Investigators said although many infected system owners fixing the problem, hundreds of web shells “persisted unmitigated,” and so, the DOJ’s new operation “removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access” to networks in the United States.

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” Assistant Attorney General for the National Security Division John Demers said Tuesday.

“Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”

Unsealed search-and-seizure warrant documents reveal submissions filed by an unidentified FBI special agent in the U.S. District Court for the Southern District of Texas. The bureau agent noted that “Microsoft assessed that HAFNIUM actors are state-sponsored and operating out of China based on observed victimology, tactics, and procedures.” The request was approved by a judge.

Microsoft said last month that Chinese hackers used Microsoft vulnerabilities to access email accounts and to install additional malware “to facilitate long-term access to victim environments.” Microsoft said Hafnium “primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs” and that it “operates primarily from leased virtual private servers in the United States.”

Chinese Foreign Ministry spokesman Wang Wenbin rejected Microsoft’s claim that China was involved in the cyberattacks.

The FBI said then that the bureau was “working closely with our interagency and private sector partners to understand the scope of the threat.”

Microsoft also provided an update on Tuesday warning about continued vulnerabilities on its exchange server, saying that “given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.” The tech company said, “These new vulnerabilities were reported by a security partner,” the National Security Agency, “through standard coordinated vulnerability disclosure and found internally by Microsoft.”

NSA Cyber’s account tweeted that the agency “urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks.”

Anne Neuberger, the deputy national security adviser for cyber and emerging technology who was named as the point person coordinating the U.S. government’s response to the separate SolarWinds breach, said in mid-February that the response to the SolarWinds hack will “holistically” consider all of the “likely Russia n” malign cyberactions when putting together a response to those intrusions.

Be the first to comment

Leave a Reply

Your email address will not be published.


*