There are still hundreds of unpatched Exchange servers out there, and the feds take on a duty to clear them from web shells that attackers deployed through vulnerabilities known as ProxyLogon.
Organizations running Exchange servers in the United States could have been compromised and received this service from the FBI without even knowing about it.
On Tuesday, the Department of Justice announced the FBI received authorization to remove web shells installed on compromised Exchange servers, as many server owners couldn’t patch their infected machines themselves.
“Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the department said.
This is due to each shell having a unique file path and name, that made it difficult for server owners to find and remove them.
In March, the department said there were “hundreds” of shells still in the wild on US servers.
During the operation, the FBI removed one early hacking group’s web shells which attackers could have used to maintain unauthorized access to compromised networks.
The agency explained that the FBI removed web shells by sending a command through the web shell to the impacted server that instructed the server to delete a specific web shell identified by its unique file path.
However, those Exchange servers still remain unpatched, and their owners still have to follow Microsoft’s advice.
“This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”
