In this case, the warrant targeted web shells installed by a cyberespionage group dubbed Hafnium that is believed to have ties to the Chinese government. In early March, Microsoft reported that Hafnium has been exploiting previously unpatched vulnerabilities in Microsoft Exchange to compromise servers. At the same time, the company released patches for those vulnerabilities, as well as indicators of compromise and other detection tools, but this didn’t prevent other groups of attackers from exploiting the vulnerabilities after they became public. In its warrant application, dated April 13, the FBI argues that despite the public awareness campaigns by Microsoft, CISA and the FBI itself, many servers remained infected with the web shell deployed by Hafnium. While the exact number has been redacted from the unsealed warrant, the DOJ said in a press release that it was “hundreds.”
The FBI asked for, and received court approval, to access the malicious web shells through the passwords set by the original attackers and then use that access against the malware itself by executing a command that will delete the web shell, which is essentially an .aspx script deployed on the server. The FBI was also allowed to make a copy of the web shells first because they could constitute evidence.
The warrant states that it “does not authorize the seizure of any tangible property” or the copying or alteration of any content from the servers aside from the web shell themselves, which are identified in the warrant by their unique file paths. This means the FBI was not granted permission to patch the vulnerabilities to protect the servers from future exploitation or to remove any additional malware or tools that hackers might have already deployed…
The FBI sent an email message from an official email account, including a copy of the warrant, to the email addresses associated with the domain names of the infected servers.
An official statement from the Department of Justice is already using the past tense, announcing that U.S. authorities “have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service.”