The FBI has taken matters into its own hands after hackers took advantage of a series of vulnerabilities in the Microsoft Exchange Server. This new tactic seems to make some security professionals uncomfortable.
With many organizations failing to fix the problems related to the recently announced vulnerabilities, the FBI, with court approval, went into affected organizations’ web servers and removed web shell malware from thousands of computers, the agency announced on April 13.
If allowed to remain on company IT systems, the web shells, which can give hackers remote access to web servers, could have been used by hackers for “persistent, unauthorized” access to networks in the United States, the FBI said in a press release.
The FBI used the hackers’ web shells to destroy the malware. Agents issued a command through the web shell to the server, which was designed to cause the server to delete only the malicious web shell, the agency said in its press release.
The FBI attempted to notify the affected organizations by email. The agency noted that it did not patch the vulnerabilities, announced on March 2.
The operation shows the Department of Justice’s “commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” Assistant Attorney General John Demers for the DOJ’s National Security Division said in the press release.
While the FBI received court approval for its removal operation, some security experts questioned the agency’s methods.
The FBI’s move is a “new take on breach mitigation,” said Saryu Nayyar, CEO of cybersecurity vendor Gurucul. “The FBI initiative is more of an FBI takeover. While the move may be well intentioned, it certainly seems like the companies targeted by the FBI should have been informed of this broad act of malware removal.”
It’s “deeply disturbing” that many organizations didn’t know the FBI accessed their networks, she added.
But the FBI action may also lead to positive results, Nayyar added.
“On the flip side, companies running on-premises versions of Microsoft Exchange who took no action to remove the web shells used by cybercriminals deserve what they get, quite honestly,” she said. “And getting help with malware removal is a much kinder impact than allowing attackers to run amok in the network.”
Instead of taking action before notifying the affected company, the FBI should inform it of the malware and offer assistance if it’s accepted, suggested Bobby Bermudez, president of Symposit, an IT security and operations provider.
Without prior notification, the FBI’s actions “may adversely affect the company operations in an unknown way,” he told the Washington Examiner. “It is impossible for the FBI to account for every single variable and environment.”
He added that this action could set the stage for the FBI to have vast new authority related to cybersecurity.
It seems “egregious that they would simply launch these commands without the acknowledged consent of the private parties,” Bermudez said. “By doing this, it dangerously sets a precedent that they can unilaterally go after any computer system connected to the internet and simply cite an interstate commerce or foreign transaction clause.”
However, other security professionals praised the FBI for disrupting a hacking campaign attributed to a hacking group tied to the Chinese government.
It’s likely that the FBI only access servers that had been configured to allow untrusted connections and not those that had additional protections, suggested Noah Johnson, chief technology officer and co-founder of Dasera, a cloud security company.
Johnson said the FBI’s actions are comparable to a police officer finding the back door of a bank open after business hours. The police officer then touches the doorknob and closes the door, similar to the FBI making an untrusted connection and removing the shell scripts, he said.
“If the back door had been protected with a barbed wire fence and biometric gate and the police officer went out of his or her way to scale the fence or hack the biometric gate in order to reach the back door, then there would be more cause for concern,” he told the Washington Examiner.
