In a statement issued on Tuesday, the Department of Justice said these servers had been exploited in January and February by some groups who used zero-day vulnerabilities that Microsoft publicised on 3 March.
More groups piled on in March while some of the earlier Web shells were removed by the owners, the statement said.
The FBI removed the shells by issuing a command through the Web shell to the server, which was designed to cause the server to delete only the Web shell which was identified by its unique file path.
|
Exchange servers that were serving webshells are at high risk of being hacked again now. It is unlikely the webshells will have shared default passwords again.
— thaddeus e. grugq (@thegrugq) April 14, 2021
Conclusion: FBI YOLO burned their opportunity to remediate the second wave surge of Exchange hacks. Heckuva job https://t.co/vDmuHdPW1y
“Today’s court-authorised removal of the malicious Web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said assistant attorney-general John Demers for the Justice Department’s National Security Division.
“Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cyber security.
"There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”
Acting US Attorney Jennifer Lowery of the Southern District of Texas said: “Combatting cyber threats requires partnerships with private sector and government colleagues.
I like that the FBI had to go and get a rule 41 warrant to hack domestic Microsoft Exchange servers and remove malware from them, because Microsoft were too busy vacuuming the lawn. https://t.co/99QRnw6sus
— MalwareTech (@MalwareTechBlog) April 14, 2021
“This court-authorised operation to copy and remove malicious Web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals.
"We will continue to do so in co-ordination with our partners and with the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyber breaches.”
Acting assistant director Tonya Ugoretz of the FBI’s Cyber Division said: “This operation is an example of the FBI’s commitment to combatting cyber threats through our enduring federal and private sector partnerships.
“Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners.
"The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions.”