A Texas court has authorized the FBI to ‘copy and remove’ backdoors from several hundred Microsoft Exchange email servers in the United States. This comes just months after hackers used four previously unknown vulnerabilities to attack thousands of networks.
This operation, which the Justice Department described as ‘successful’, was announced on Tuesday.
Microsoft discovered a Chinese, state-sponsored hacking group called Hafnium in March. Redmond noticed that the hacking group was targeting Exchange servers run from corporate networks. The four vulnerabilities, when chained together, gave the hackers the ability to get into a vulnerable Exchange server and steal the data. Microsoft has since addressed the vulnerabilities but the patches did not close the backdoors from the servers that had already been breached, for some reason. Within days, other hacking groups began hitting these vulnerable servers with the same flaws to deploy ransomware.
Several infected servers went down as patches were applied. But there were still hundreds of Exchange servers that remained vulnerable because of these backdoors, which are difficult to find and even more difficult to eliminate.
This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).
The FBI