The News: On April 13, 2021, the Department of Justice revealed it had completed an operation, authorized under a court order issued by a US District Judge in Texas, where the FBI electronically accessed privately-owned Microsoft Exchange servers to make copies of and remove the Hafnium-installed web shells. You can read the court order (In the Matter of the Search of Certain Microsoft Exchange Servers Infected with Web Shells) here.
Why the FBI Covertly Fixing Vulnerabilities in Private Servers Related to the Microsoft Exchange Server Attack is a Really Big Deal
Analyst Take: On March 2, 2021, Microsoft disclosed it was aware of an ongoing attack exploiting a series of zero-day vulnerabilities in on-premises (privately owned) Microsoft Exchange servers. This attack, which included the insertion of a web shell (backdoor) on user servers, was attributed to Hafnium, a suspected state-sponsored group operating out of China.
In the wake of the Microsoft Exchange server attack, and with the news of a new type of search and seizure tactic being deployed by the Department of Justice and the FBI, the rules of cyber security and cyber defense have just been amended in a way that is both good and more than a bit troubling. Here’s why we’re both optimistic and concerned about this latest disclosure related to the FBI fixing vulnerabilities related to the Microsoft Exchange server attack.
The FBI’s Search Warrant Related to the Microsoft Exchange Server Attack
Issued in the wake of the recent Microsoft Exchange server attack, the search warrant authorized the FBI to search for (and seize) from privately-owned servers the following:
- evidence of a crime;
- contraband, fruits of crime, or other items illegally possessed; and
- property designed for use, intended for use, or used in committing a crime.
So far, it’s a textbook search warrant. But what is the evidence the FBI sought to possess?
The FBI sought web shells installed on privately-owned servers during Hafnium’s recently discovered Microsoft Exchange server attack. This is relevant as these web shells created a backdoor that persists even after the vulnerability has been patched and the attack has ceased, providing access and control to unauthorized third-parties (such as Hafnium, although the backdoors can be exploited by anybody aware they exist, knowledge of which has been widely disclosed on the dark web). This action is likely due to the fact that in spite of the news around the Exchange server attack, many companies have not yet taken the appropriate steps to patch/update their servers and hackers continue to actively target these organizations.
So, How Does One Seize a Web Shell?
So how does one seize a web shell? One way would be to seize the server itself. And, in fact, the FBI has been granted such authority in the past to take control of servers used by attackers to issue/control botnets, with the FBI’s intent to modify/insert code on the servers to disable the botnets on private, infected, and un-ouched systems.
But in this instance, specific to an attempt to mitigate the damage from the Microsoft Exchange server attack, is a very different model. The FBI did, as you would expect in the physical world, actually walk away with the evidence in hand leaving nothing behind.
Here’s how it worked. After identifying a privately-owned server the FBI believed to be compromised, the FBI:
- Sent an electronic copy of the search warrant to the email address associated with the domain’s registration contact, which is typically not a cybersecurity professional;
- Accessed the private server electronically via the same backdoor installed by Hafnium during the original attack;
- Made a copy of the web shell (the actual seizure for forensic purposes);
- Installed and executed a .aspx script (Active Server Page Extended file for Microsoft’s ASP.NET framework) on the privately-owned server that deletes the web shell; and
- Notified the private organization that the deed has been done.
Notably, and with good intent, there was no authorization for the FBI to search for, patch, or even notify organizations of any other vulnerabilities that may exist.
The FBI’s Message Here: We’re Here to Help
This is a bit like the FBI leaving a note on your walkway informing you that your dog looks hungry, then entering your house in the middle of the night, feeding the dog, and dropping a “dog fed” note on the way out — which doesn’t mention the stray dog that’s been sneaking in and eating Rover’s food.
In place of educating and mandating (enforcing) action on the part of organizations with infected servers, the FBI is in essence saying:
“We’ve been watching you and have identified a major problem, one you have failed to address and which places others at risk, so we are fixing the issue ourselves” (aka you didn’t feed the dog, so the FBI will do it for you).
It’s one thing to seize an item associated with crime, but when the intent is to remotely access a privately-owned server and fix a cybersecurity issue (on behalf of the server’s owner) it starts to appear as if, in the name of national security, the DOJ is nationalizing cybersecurity, or at least some aspect of remediation. Either way, however well-intentioned, this is a substantial insertion of the FBI into the cybersecurity issues of privately held companies and individuals.
The Questions Are Plenty
While this is arguably a positive step toward the DOJ taking a much more active role beyond policies and coordination in addressing ongoing cyber conflicts, this also raises a number of serious questions.
Is this really legal? It’s quite possible that one of the hundreds of organizations covered by this search warrant will challenge its validity in court based on the FBI’s manipulation of private servers (we’re not taking the servers, just adjusting the data/code on them).
What happens next? How deep into server software and data manipulation will the next round of search warrants go, now that the courts have permitted the FBI to access and modify private servers?
Are we creating a cyber remediation squad within the FBI? It sure seems like it, at least for situations like this that can potentially have national security interests. And what does this say about how the FBI might be involved in other types of cyberattacks such as the recent DarkSide ransomware attack on Colonial Pipeline?
And most importantly, why have so many organizations not heeded the repeated requests by Microsoft, cyber security professionals, and government agencies to implement what appears to be a very simple fix to this backdoor issue?
My colleague and fellow analyst Shelly Kramer here at Futurum Research and I recently covered the FBI Covertly Fixing Vulnerabilities in Private Servers Related to the Microsoft Exchange Server Attack in the most recent episode of the Futurum Tech Webcast, as part of our Cybersecurity Shorts series. You can find the brief conversation here:
You can watch the full episode here:
Or grab the audio here:
and if you’d like just the short vignettes on specific topics, you’ll find them on the same channels, so be sure and subscribe once you’re there.
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
More Insights from Futurum Research:
Shelly Kramer: Absolutely. So, now we’re going to move on, and we’re going to talk a little bit about something new that the Justice Department has done, as it relates to trying to mitigate damage from the Microsoft Exchange Server hack. So, tell us a little bit about that.
Fred McClimans: If you recall, there was an attack, the Hafnium attack, on Microsoft Exchange Servers back late last year, earlier this year. And, that attack was similar to the SolarWinds attack, in that it used access into a core system and the distribution of software updates to spread throughout the Microsoft Exchange Server environment. It’s been very well publicized, there are patches that are out there to fix one of the ongoing persistent issues with this particular threat. And, that was that when the breach occurred, the threat actors went in and they actually installed web shells on a lot of the exchange servers. That would allow them after the attack, and even after the attack had been cleaned up a bit and stopped, it would allow them to go back in and control the server. So, there was a lot of emphasis made to educate companies out there that, “Here’s the software patch, here’s what you need to do to remove this web shell from your server”. Well, unfortunately, that hasn’t worked very well.
Shelly Kramer: People don’t do it.
Fred McClimans: …there and saying, “Hey, corporate America, do your thing”, was not that effective. So, the FBI has stepped in, in kind of a unique way here. They have obtained a search warrant that essentially allows them to go in, with some very mild notification, essentially an email to a company… And, there are at least 100s of companies out there that still have not patched their systems according to the FBI. So, what they’re doing, the FBI, and court approved, they have the right now, after sending an email notification to a company, to go in and to actually access that company’s servers. Without actually saying, “Hey, by the way, we are here now”. Apparently they can just, after notification, do it. But, they have the ability to go in to the servers, to copy the web shell code, and then actually modify and execute a command on a private company’s server to delete the web shell.
Big move here. All of sudden you have the FBI saying, “Look, not only are we going to pursue organizations that are out there that are causing these threats, but we’re actually going to take an active effort in remediating the impact of this.” I think the big issue here really for me is that they’re going into a privately held company’s hardware.
Shelly Kramer: And, this is a warrant. This is like somebody showing up and knocking on your door with a search warrant.
Fred McClimans: It goes beyond that. Imagine somebody knocking on your door and saying, “Hey, we have a search warrant, and while we’re here, we’re going to replace some of the plumbing in your house”.
Shelly Kramer: Right.
Fred McClimans: “We’re going to rewire the back room here”.
Shelly Kramer: And, by the way, I will say that I can’t imagine what it would be like to have somebody show up at my door with a search warrant. I can’t imagine what it would be like to have the FBI show up with this court ordered warrant, is what it’s called, and to do this. And, I think this is so unusual. It’s such an unusual move by the Department of Justice. Because, it is really taking this extreme, aggressive step to go in and protect these companies. But the reality of it is, these companies have not taken the steps they need to take to protect their exchange servers. So, what do you do?
Fred McClimans: This kind of speaks a bit to the issues that we face with the Colonial Pipeline attack here. When something is this important or this critical, at what point does the Government assert itself in the national interest and say, “This is a national security matter here”.
Shelly Kramer: And it is.
Fred McClimans: And, that appears to be kind of what they’re doing. The security is almost nationalizing cybersecurity response functions here, saying, “If you can’t do it we will step in, and we will fix the systems the way we see fit to fix the systems”. That is a bit of an issue here, because if you’re a private company and you’re still investigating the software or you have other systems in place, you don’t want somebody just going in and executing code without you actually participating in that process. So, maybe the bigger issue here is just the way they’re doing it without actually saying, “We’re going to set up a specific time and a coordination team here”. And, maybe that evolves out of it at some point, but this has got to be something that will ultimately be challenged by somebody.
Shelly Kramer: Yeah, I agree.
Fred McClimans: Or, it’s like you’re overstepping.
Shelly Kramer: Do you really know what’s happening. We’re saying, “Oh, somebody just shows up, knocks on your door”. I’m looking at the Justice Department’s announcement of this court authorized effort to help mitigate these server vulnerabilities. I’m reading the order. We don’t know exactly what is happening. Maybe they are calling or sending an email and scheduling a time, so we can’t assume that we know what the process it. But, I do think that it is very much a question that we’ll have to answer moving forward as our public officials, our legislators, the Administration in control, whether it’s this one or the subsequent… This is a huge issue, and we cannot allow a wild west of ransomware and all of these other threats that are out there to just happen and be chasing after them. We have to be proactive.
And, I think what the Government is saying here is that, “This is a critical problem, and we don’t see companies solving it on their own”. And, there are people still running old unsupported versions of Microsoft Exchange Server software. That’s the problem in many instances.
Fred McClimans: Sure. Now you get to the really delicate matter here. Do we, as a nation, or just as a society in general, have the ability or even the right to tell a private company, “You’re doing it wrong. Here’s what you have to do. And, if you want to participate in the digital ecosystem, here are the things you need to have in place.”? There a lot of people that would push back on that and say, “That’s overreaching Government control”.
Shelly Kramer: For a society who can’t agree on masking or not masking, or anything else really, it is a big deal. But, the reality of it is, it’s yes, it is Government stepping into a private company, but the reality of it is, it’s protecting data. Generally speaking, it’s protecting customer data, and all other information that is a part of the organization. So, it’s employee data, it’s customer data, it’s so many things. So, it’s not just, “I’m going to knock on your door and look under your bed”. The data protection issue is a big thing. And, the impact of that down the line, throughout the company as a whole, is really bigger than I think most people realize.
Fred McClimans: There’s a line of thought here that says, one of the big fundamental issues we have, and I believe this, we have a backwards approach to data ownership and data privacy. And, it’s starting to be corrected here, you’re seeing companies like Apple and others flipping the model around to make it an opt-in to data sharing. Because, the traditional model has been, you don’t own, as an individual, your data. If you interact with a system, with a company, with a service they own your data. And, that really needs to be reversed the other way. We need to start thinking, when we’re conducting a transaction, when we’re sending an email, or doing anything, that communication, that data, everything that comes off of that, that belongs to the user who’s actually creating that and generating that. And, does that mean our business models potentially need to change? Absolutely. But, we have to start thinking about that privacy right first. And, from that perspective, if you go down that road, it’s very easy to say, “The Government has the right and the ability, on behalf of its citizens, to protect their data”.
Shelly Kramer: Yeah. It’s an interesting topic, and one I’m sure we’re going to be talking more about as time goes on, for sure. Okay, I think I’m ready to wrap up this show.