The FBI is attempting to secure hundreds of computers compromised by the Hafnium hack by hacking them using the initial hackers’ software, in what is believed to be an unprecedented leap (via TechCrunch).
The hack, which reportedly affected tens of thousands of Microsoft Exchange Server customers around the world and prompted the White House to issue a “whole of government response,” reportedly left a variety of backdoors that could be exploited by any number of hackers. The FBI took advantage of this by remotely removing themselves using the same site shells / backdrafts as the rest of the world.
“The FBI conducted the removal by sending a command to the server via the web shell that was intended to prompt the server to delete only the web shell (identified by its unique file path),” according to the US Justice Department.
The bizarre aspect is that the FBI’s presence is likely unknown to the owners of these Microsoft Exchange Servers; the Justice Department claims it is only “attempting to give notification” to the owners that they attempted to assist. According to the department, it’s doing everything with the blessing of a Texas judge.
It’ll be fascinating to see how this sets a pattern for how big hacks like Hafnium are handled in the future. Although I’m still unsure, it’s easy to say that the FBI is doing the world a favour by eliminating such a hazard — while Microsoft’s initial response was painfully slow, after many crucial warnings, Microsoft Exchange Server customers have had well over a month to patch their own servers. I’m curious how many customers would be enraged, and how many will be relieved that the FBI, rather than any other intruder, took advantage of the open door. We know that critical-but-local government infrastructure frequently has egregious security procedures, as evidenced by the recent tampering of two local drinking water supplies.
Before the FBI initiated its remote Hafnium backdoor removal initiative, tens of thousands of devices were patched by their owners, and it only removed “one early hacker group’s remaining web shells that could have been used to maintain and intensify continuing, unauthorised access to U.S. networks.”
“Today’s court-authorized removal of the malicious site shells shows the Department’s willingness to disrupt hacking activity using all of our legal resources, not just prosecutions,” according to a statement from the Justice Department’s National Security Division’s Assistant Attorney General John C. Demers.
By the way, today is Patch Tuesday, and according to CISA, Microsoft’s April 2021 security update provides new mitigations for Exchange Server vulnerabilities. Take a look if you’re running a local Exchange Server or know someone who is.