The FBI obtained a court order that allowed it to access hundreds of computers that had been compromised by hackers who exploited vulnerabilities in Microsoft Exchange, the government said Tuesday.
Authorized by a magistrate in Houston, the U.S. Department of Justice said the court order enabled the FBI to remove “web shells” that had allowed hackers to remotely access those computers.
By exploiting vulnerabilities affecting Exchange, Microsoft’s email and calendar program, hackers were able to install the malicious web shells on thousands of computers, the Justice Department said.
Once in place, hackers can use the shells to remotely access infected computers by effectively creating backdoors that could be leveraged to install malicious software, steal data or do other damage.
Microsoft announced in early March that versions of Exchange contained multiple vulnerabilities that had been leveraged by a hacking group, which it calls HAFNIUM, assessed to be operating from China.
At the same time, Microsoft issued security updates that patched the vulnerabilities, hardening those versions of Exchange against hackers, and urged its customers to install them immediately.
Other hackers followed HAFNIUM’s lead after Microsoft disclosed the bugs and began exploiting vulnerable installations of Exchange before they could be patched, however, the Justice Department said.
The court order, dated April 9, authorized the FBI to remotely access computers in the U.S. containing malicious web shells that were left by a particular, unspecified hacking group and remove them.
“By deleting the web shells, FBI personnel will prevent malicious cyber actors from using the web shells to access the servers and install additional malware on them,” the FBI said in a court filing.
In a press release, the Justice Department noted the FBI neither patched the vulnerabilities on those computers nor searched for and removed any other malware that hackers may have installed.
The Justice Department said it “strongly encourages” Microsoft users to patch vulnerable products.
Separately, Microsoft said Tuesday it was aware of other, previously undisclosed “critical vulnerabilities” affecting Exchange and encouraged its customers to install security updates as soon as possible.
Microsoft declined to comment when asked by The Washington Times about the FBI’s action.
Tonya Ugoretz, the acting assistant director of the FBI’s Cyber Division, described the operation to remove the web shells as “successful.”
“This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cybercriminals,” said acting U.S. Attorney Jennifer B. Lowery, the top federal law enforcement officer for the Southern District of Texas in Houston.
“There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts,” added John C. Demers, assistant attorney general for the Justice Department’s national security division.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.