According to the US Department of Justice, the FBI had operated in the web security systems. They had abolished malicious web shells from hundreds of computers in the United States that were running vulnerable versions of the Microsoft Exchange Server. Reports were revealed last week that this operation has been carried out to removed web shells from hundreds of computers in the United States. This development secured many organizations. But now the directions of cybersecurity are considered to be at risk.
In March, Microsoft had released a security update. It was crucially updated for the protection of Exchange Server customers from cyberattacks exploiting the vulnerabilities. Not every organization had applied for this security patch as many are left to do so. This was done after this year’s zero-day vulnerabilities in Microsoft Exchange Server; actively exploited by a nation-state-backed hacking operation, were discovered.
Those organizations that had not updated the Microsoft security patches are now exposed to a number of cyberattacks. These include ransomware gangs, nation-state groups, crytojackers, and cybercriminal gangs that can exploit the Exchange vulnerabilities.
FBI operated to eliminate all kinds of web shells that the hackers used to exploit the vulnerabilities. These included the scripts and codes to enable remote administration privileges. Which automatically paves way for the illegal backdoor access for cyber espionage and many more other illegal activities. Those web shells were hundreds in number. FBI first spotted the unconditional web shells keenly and then removed them from the hundreds of systems. The removal process was so expanded that the one hacking group’s remaining web shells have been entirely removed by it.
Tonya Ugoretz who is an acting assistant director of the FBI’s cyber division earlier reported the matter to the media and said;-
“This operation is an example of the FBI’s commitment to combating cyber threats through our enduring federal and private sector partnerships, Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners,”
Organizations in large numbers were threatened by the web shells and that is the main reason for the FBI to take the action. FBI gained access to the systems of the agencies and organizations without their knowledge. And they are now being notified gradually after the operation was taken because of the threat the web shells posed to the organizations. This is where the most debate happens on how the FBI can access the systems without approval. Intentions might be good or bad but now accessing the system to remove hackers has been approved by the court which causes insecurity for organizations.
According to Profesor David Brumley, co-founder, and CEO of ForAllSecure, a cybersecurity company; The effort by the FBI amounts to the FBI gaining access to private servers. Just that should be a full stop that the action is not OK, While I understand the good intention – the FBI wants to remove the backdoor – this sets a dangerous precedent where law enforcement is given broad permission to access private servers.”
While addressing the future policies which could result from this operation he stated;
“We don’t want a future where the FBI determines someone may be vulnerable and then uses that as a pretext to gain access. Remember: the FBI has both law enforcement and intelligence mission. It would be the same as a police officer thinking your door isn’t locked, and then using that as a pretext to enter”
At the same time, there are many other people supporting the FBI’s accession in entering networks and removing web shells from compromised Microsoft Exchange servers. They are of the view that it was the best thing the FBI could do as organizations are fighting a cyber battle against hackers that are more powerful and resourced.
Troy Gill who is a threat hunter and manager at security company Zix said;
“I believe this involvement by the FBI is seen as much appreciated by the private sector when it comes to protecting against nation-state attacks. Right now it is as if the private sector is fighting these nation-state attacks with one hand tied behind our backs, especially when our adversaries are pulling no punches.”
However, the FBI has not patched any Microsoft Exchange Server zero-day vulnerabilities. It has also not eliminated any additional hacking or hacking tools that can be placed on networks by attackers. It has just removed the malicious web shells. This signifies that businesses are even now exposed to malicious attacks if they have not applied the patches or inspected the network for any threatful activity. And most importantly also if they do not know that the FBI entered the network to remove the web shells.
Bob Botezatu the director of threat research and reporting at Bitdefender explained;
“The FBI initiative to remove web shellcode from compromised Microsoft Exchange servers may be regarded as an important milestone in fighting cybercrime. However, while this operation removes attackers’ access to these vulnerable servers, it doesn’t immediately improve their security, The removal of the web shell does not affect the operation of additional malware that might have been planted on the server post-compromise and also does not patch the root issue, so attackers could easily re-exploit the vulnerable server and regain web shell access to it”.
Microsoft was asked for their opinion on this matter but according to a spokesperson they have nothing to say on this. A joint advisory from the FBI and CISA (Cybersecurity & Infrastructure Security Agency) has urged organizations to apply the relevant security patches and other procedures to protect their networks from attacks but many of them still do not even know about FBI accessing their systems for all this and also until the patches are applied, the servers are still going to remain vulnerable to cyberattacks. This is a bit of chaos right now.