In an unprecedented move, the Department of Justice used a court order to dismantle 'hundreds' of web shells installed using Exchange Server vulnerabilities patched by Microsoft six weeks ago.
Microsoft claimed a state-sponsored group located in China that it dubbed Hafnium actively exploited the vulnerabilities at the time of the patch.
"Today’s court-authorized removal of the malicious web shells demonstrates the department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions," said Assistant Attorney General for National Security John Demers in a statement. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity."
Microsoft, which patched two new vulnerabilities in Exchange Server Tuesday afternoon, declined a request for comment.
The department used the web shells to remove themselves, sending them commands to delete. The FBI will try to alert all parties who had the shells removed by email, and is contacting internet service providers to find victims via IP address.
"This action is extraordinary, and evidence of just how dangerous the government viewed the malware that was found in Microsoft Exchange servers," said Lisa Sotto, chair of Hunton Andrews Kurth's global privacy and cybersecurity practice and the managing partner of the firm's New York office. "It is unprecedented for the government to reach into private-sector systems to remove malware, apparently without the knowledge of the system owners."
"This really is something," she added. "I can’t recall ever seeing anything like it."
While many organizations have already addressed the Microsoft Exchange Server issues, small and medium-sized enterprises that invest less in cybersecurity are often among the pool that that have not. The court action therefore goes "above-and-beyond to protect businesses that fall below the enterprise security poverty line," noted Kyle Hanslovan, co-founder and CEO of Huntress, a security company that focuses on managed services.
The fact that the law enforcement and legal community, not intelligence, took action is important for gaining acceptance among private sector organizations and privacy rights groups, Hanslovan added. "Now that this effort has come to light," he said, "it's time to optimize the way government and private industry partnerships work, establish rules of engagement for when the inevitable failed remediation occurs, and emphasize the need for public transparency after a response action."
Malcolm Harkins, chief security and trust officer for Cymatic, said that for the government's part, the move implies a growing understanding that cyber risks should be addressed with the same urgency of other threats to national security and critical infrastructure.
"I applaud the approach. If you were to take it further perhaps the cost of the clean-up should be billed to the folks who didn’t remove the web shell," he said, drawing an analogy to a chemical plant owner that didn't act quickly enough in response to a chemical spill, and to actions taken by federal authorities after the BP oil spill. In this case, costs of the clean-up include legal and administrative fees in addition to issuing the delete command.
The DoJ states that it removed "one early hacking group’s remaining web shells," while noting that several groups, both criminal and nation-state, have utilized the vulnerabilities. They have not claimed to remove more than that one group's web shells and removing the web shell will not patch the underlying vulnerabilities.
"There’s no doubt that more work remains to be done, but let there also be no doubt that the department is committed to playing its integral and necessary role in such efforts," Demers said in the statement.
SC Media Editor in Chief Jill Aitoro contributed to this report.