Effort to disrupt exploitation of Microsoft Exchange Server vulnerabilities

This reminds me of a time at Red Hat when a worm was going around and infecting Red Hat systems, one of the engineers reverse engineered the worm and wanted to release it in the wild to fix the bug, legal wouldn’t let them. I think legal was right (for a public company) but this kind of shows the actual right response, in my opinion.<p>Keep in mind in like 1999, you didn’t expect upgrades via package managers online for most large customers so this was an appealing release vector.

If I&#x27;m understanding this correctly, the DOJ authorized the FBI to exploit the exploit to remove the exploit from exploited servers? This proactivity is something I remember hearing recently that the NSA wished they could have

I&#x27;m kind of annoyed by some of the general negative tone of some of the comments here: &quot;Ha! The FBI is guilty of hacking&quot;, or &quot;But they didn&#x27;t patch the root cause!&quot;<p>In my understanding, the FBI:<p>1. Applied for and received a lawful court order<p>2. To make as minimally invasive as change as possible to <i>help</i> the targeted networks<p>3. While making a best effort to contact the network owners to tell them what they were doing and then<p>4. Widely publicizing what they did.<p>Not everything is some big &quot;gotcha&quot; conspiracy. We can just say &quot;thank you&quot; and move on.

Interesting. They&#x27;re violating their own CFAA law (accessing a computer without authorization or exceeding the access granted) to remove web shells. Legally, this is hacking. Which means that the FBI just hacked a bunch of Exchange servers to clean them.<p>So the message here is, if you don&#x27;t clean up your act and you&#x27;re on a USA network, we&#x27;ll do it for you without your permission.<p>The beef is at the end of the article:<p><i>This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells. The Department strongly encourages network defenders to review Microsoft’s remediation guidance and the March 10 Joint Advisory for further guidance on detection and patching.</i><p><i>The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells. For those victims with publicly available contact information, the FBI will send an e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search. For those victims whose contact information is not publicly available, the FBI will send an e-mail message from the same FBI e-mail account to providers (such as a victim’s ISP) who are believed to have that contact information and ask them to provide notice to the victim.</i><p><i>If you believe you have a compromised computer running Microsoft Exchange Server, please contact your local FBI Field Office for assistance. The FBI continues to conduct a thorough and methodical investigation into this cyber incident.</i>

My initial thoughts<p>And what happens if they break something while patching the exploits? Just seems odd that somehow the FBI is the best server admin here?<p>I feel like I’m missing the full view of the implementation specifics.<p>Shouldn’t the disincentive for admins to run unpatched just be monetary damages once&#x2F;if a damage occurs?<p>Why are my tax dollars paying for lazing email hosts? Seems like a lot of other issues (unless I’m missing something)

Presumably the FBI limited this operation to &quot;U.S. Networks&quot;. I wonder how they determined that? Based on domain registration? IP block ownership? What about a non-US company with servers outside of the US that has a Point-of-Presence IP inside the US? Seems like there&#x27;s no perfect way to determine programmatically.

A substantive portion of these unpatched servers end up ransomed. And if not yet, they will be. A proportion of ransom victims show up expecting the FBI to help, even if they were extremely negligent in allowing the incident to occur. Another very high proportion just pays the ransom.<p>The FBI here aren&#x27;t just &quot;protecting lazy admins&quot;, there are some further reaching consequences to failing to act.<p>Note also people are talking about &quot;applying patches&quot; but the order more specifically talks about removing web shells. If my experience is indicative, there are more hosts that applied patches too late and didn&#x27;t remove the web shells mass scanners deployed, than hosts that never patched. I expect a lot of this disruption is about deleting a one line .aspx file.

this action only removes already installed web shells, and does not patch, nor does it prevent from future take overs of these servers, right?<p>if left unpatched, these same servers could be reinfected next day?

Imo seems reasonable. There are plenty of other government agencies with far more power in their respective industries. FDA, Public Health Departments, the myriad of banking regulators.<p>In may of those, the respective regulators can shit the entire business down. Here, the FBI didn&#x27;t even power the servers off and they got a warrant without going through a secret court<p>Companies have had plenty of time to address the issue on their own, at this point

I&#x27;m interested in the moral hazard this creates if this practice becomes widespread. If your servers are &quot;too big to fail&quot;, and the FBI&#x2F;NSA can reliably zero-day into your servers to patch zero-day bugs, that seems like a pretty good deal for skimping on some of your security budget.

Well, this is a totally awful development. In the 80s the idea of white worms being used to patch vulnerabilities was rejected for good reason, so I have to think this has little to do with security and much more to do with normalizing behavior that really shouldn&#x27;t be tolerated. They didn&#x27;t even patch the hole...<p>Before anyone tries framing it as a service to the security of the majority - understand that this is the introduction of a new attack vector: state actors hamfistedly bumbling around your network while &quot;doing you a favor&quot;. If the threat even approached a level justifying this kind of action, the far more effective and less damaging approach would be directing upstream networks to blackhole routes to the machines.

I would like to see this type of thing become more popular with general law enforcement.<p>It is very frustrating to have essentially no recourse available to stop the constant vulnerability scans targeting my house.<p>If random people constantly walk up to every house on the street looking for pick-able locks, the police are (Setting, for a moment, aside over&#x2F;under policing and other issues) available to help stop them.<p>But, for the digital equivalent, our collective response (especially among technical people) is typically <i>&quot;[shrug] Make sure your locks are unpickable and your windows unbreakable. And if you cant handle that, then just move in to the Facebook highrise&quot;</i>

The DoJ&#x27;s Advanced SysOps Team strikes again! We upgrade what no one else will!!

&gt; <i>This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.</i><p>So they removed the IOC but left the hole wide open.<p>This kind of &quot;help&quot; is going to be an incentive to stop doing business with US hosting companies.

This is not a thing that a court can authorize.

Stop protecting Microsoft. Let them absorb the damage and die.

This is too much texts for a security vulnerability. They can just create an hotfix for it.

Interesting precedent. Will they bill Microsoft? If not, I&#x27;m curious if this could mark the start of externalizing security and cleanup responsibilities to the federal government.

How is this legal? Has the judiciary simply accepted the fact that the CFAA doesn&#x27;t apply to FBI agents?

Wow. This is crazy unconstitutional. DOJ could seek civil injunction perhaps, but using <i>criminal authority</i> to break into servers without probable cause of any criminal action is crazy bad.<p>Another good reason to stop using proprietary binaries and instead compile your own source - even if you use code under proprietary copyright. Imagine if France also decided to &quot;help&quot; and bricked your server on accident.