DOJ discloses operation to counter cyber breaches involving Microsoft software

The U.S. Department of Justice on Tuesday revealed a court-authorized operation to counter cyber breaches regarding computers running on-premises types of Microsoft Exchange Server software.

The effort involved copying and removing web shells from hundreds of computers in America, according to the Justice Department.

"Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access e-mail accounts and place web shells (which are pieces of code or scripts that enable remote administration) for continued access," the DOJ said. "Other hacking groups followed suit starting in early March after the vulnerability and patch were publicized. Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated.

"Today's operation removed one early hacking group's remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path)."

The department noted that the operation did not seek out or eliminate any other malware that hackers could have potentially inserted on breached networks.

"Although today's operation was successful in copying and removing those web shells, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells. The Department strongly encourages network defenders to review Microsoft's remediation guidance and the March 10, 2021 Joint Advisory for further guidance on detection and patching," the Justice Department noted.