• FBI "grey hats" delete web shells on compromised exchange servers

    From Big Bad Bob@21:1/5 to All on Wed Apr 14 13:04:40 2021
    https://www.theregister.com/2021/04/14/fbi_exchange_server_malware_deletion/

    "The FBI deleted web shells installed by criminals on hundreds of
    Microsoft Exchange servers across the United States, it was revealed on Tuesday."

    "The Feds were given approval by the courts to carry out the deletions,
    which occurred without first warning the servers' owners, following the discovery and exploitation of critical vulnerabilities in the enterprise software."

    I think this is a good thing. It was probably faster to get the malware
    to go away in this manner. I remember the old 'Code Red' exploit that
    created a back door into 'CMD.EXE'. It was in memory, so in theory you
    could shut down the service from the exploit hole and end the problem.
    "Failing to restart it too" would be a side benefit [to prevent re-exploitation]

    "Shortly after Microsoft raised the alarm early last month over the
    security holes in Exchange and provided fixes for the vulnerabilities, miscreants swarmed to exploit the programming blunders and hijack
    unpatched installations."

    <quote>
    Although many infected system owners successfully removed the web shells
    from thousands of computers, others appeared unable to do so, and
    hundreds of such web shells persisted unmitigated,” the Justice
    Department noted in an announcement. “Today’s operation removed one
    early hacking group’s remaining web shells, which could have been used
    to maintain and escalate persistent, unauthorized access to US networks.” </quote>

    "Critically, however, the Feds did not touch the servers themselves and
    so they remain unpatched and open to infiltration."

    "The FBI said it will try to send emails to the operators of all the
    servers it discovered the web shells on, advising them how to patch
    their equipment."

    More or less, just like it was for code red. So they notified the
    owners to patch their stuff, after nuking the malware from high orbit.
    But it is still up to the owners to patch their schtuff.



    --
    (aka 'Bombastic Bob' in case you wondered)

    'Feeling with my fingers, and thinking with my brain' - me

    'your story is so touching, but it sounds just like a lie'
    "Straighten up and fly right"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Auric__@21:1/5 to Big Bad Bob on Wed Apr 14 21:56:18 2021
    Big Bad Bob wrote:

    "The FBI said it will try to send emails to the operators of all the
    servers it discovered the web shells on, advising them how to patch
    their equipment."

    Anyone with half a brain that gets an unexpected email from fbi.gov is just going to delete it without looking. I know I would.

    --
    That doesn't change the fact that you're a psycho.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)