While the web shells that used to give attackers access to Microsoft Exchange servers have been removed, the FBI has revealed that there may still be some malicious software that hackers still use to back up victim networks.
February 2021, when various hackers discovered and exploited zero day vulnerabilities in Microsoft Exchange Server software. Hackers took advantage of these vulnerabilities to set up open-air and gain permanent access to these servers, until they were discovered in March 2021. Even after the initial hackers emerged, more attackers looks for ways to attack later patching and publicizing these weaknesses.
Although thousands of victims of this attack have managed to remove these airlifts, hundreds of malicious web shells have not been installed. For target servers that the FBI was able to recover, they wrote a command from the web shell to the server, triggering the server to delete the web shell after specifying the shell’s unique file path.
To date, authorities have expressed positive sentiment about the ability of public and private organizations to join forces with cyber security forces to counter this threat. In fact, the FBI has already partnered with international colleagues on the ground to keep an eye out for further vulnerabilities and threats of this nature.
Indeed, since this attack first came to light in March, Microsoft and its various partners have made significant efforts to provide their thousands of customers with the information and tools to help mitigate it. ‘ this threat, even to those organizations whose servers have already been hit.
However, despite many Microsoft Exchange Server users successfully removing malicious shells on their networks, the FBI warns that the original zero-day vulnerabilities have not yet been fully resolved. Therefore, the company advises all affected organizations to continue to monitor and investigate their environments for possible malicious presence.
At this time, the FBI intends to notify all entities whose malicious web shells associated with these attacks have been removed from their servers. They expect advocates of a network of affected organizations to face the challenge of finding these malicious web shells based on their unique file name and path.
For now, the FBI and the Cybersecurity Security and Infrastructure Agency have collaborated on a joint consultation on Microsoft Exchange Server to address this incident.