The FBI is remotely hacking hundreds of computers to protect them from Hafnium

In what’s believed to be an unprecedented move, the FBI is trying to protect hundreds of computers infected by the Hafnium hack by hacking them itself, using the original hackers’ own tools (via TechCrunch).

The hack, which affected tens of thousands of Microsoft Exchange Server customers around the world and triggered a “whole of government response” from the White House, reportedly left a number of backdoors that could let any number of hackers right into those systems again. Now, the FBI has taken advantage of this by using those same web shells / backdoors to remotely delete themselves, an operation that the agency is calling a success.

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” explains the US Justice Department.

The wild part here is that owners of these Microsoft Exchange Servers likely aren’t yet aware of the FBI’s involvement; the Justice Department says it’s merely “attempting to provide notice” to owners that they attempted to assist. It’s doing all this with the full approval of a Texas court, according to the agency. You can read the unsealed search and seizure warrant and application right here.

It’ll be interesting to see if this sets a precedent for future responses to major hacks like Hafnium. While I’m personally undecided, it’s easy to argue that the FBI is doing the world a service by removing a threat like this — while Microsoft may have been painfully slow with its initial response, Microsoft Exchange Server customers have also now had well over a month to patch their own servers after several critical alerts. I wonder how many customers will be angry, and how many grateful that the FBI, not some other hacker, took advantage of the open door. We know that critical-but-local government infrastructure often has egregious security practices, most recently resulting in two local drinking water supplies being tampered with.

The FBI says that thousands of systems were patched by their owners before it began its remote Hafnium backdoor removal operation, and that it only removed “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” reads a statement from Assistant Attorney General John C. Demers, with the Justice Department’s National Security Division.

Today is Patch Tuesday, by the way, and Microsoft’s April 2021 security update includes new mitigations for Exchange Server vulnerabilities, according to CISA. If you’re running a local Exchange Server or know someone who is, take a look.

Repost: Original Source and Author Link


Microsoft was warned months ago — now, the Hafnium hack has grown to gigantic proportions

On Friday, cybersecurity journalists Brian Krebs and Andy Greenberg reported that as many as 30,000 organizations had been compromised in an unprecedented email server hack, believed to have originated from a state-sponsored Chinese hacking group known as Hafnium.

Over the weekend, that estimate has doubled to 60,000 Microsoft Exchange Server customers hacked around the world, with the European Banking Authority now admitting that it’s one of the victims — and it looks like Microsoft may have taken a little too long to realize the severity and patch it. Krebs has now put together a basic timeline of the massive Exchange Server hack, and he says Microsoft has confirmed it was made aware of the vulnerabilities in early January.

That’s nearly two months before Microsoft issued its first set of patches, alongside a blog post that didn’t explain the scope or scale of the attack. Originally, it was even planning to wait for one of its standard Patch Tuesdays but relented and pushed it out a week early.

Now, MIT Technology Review reports Hafnium may not be the only threat, citing a cybersecurity analyst who claims there appear to be at least five hacking groups actively exploiting the Exchange Server flaws as of Saturday. Government officials are reportedly scrambling to do something, with one state official telling Cyberscoop that it’s “a big F’ing deal.”

More diplomatically, White House press secretary Jen Psaki called it “an active threat,” drawing more attention to the emergency directive that the Department of Homeland Security’s cybersecurity agency sent out March 3rd. White House national security adviser Jake Sullivan has warned about it as well, as has former Cybersecurity and Infrastructure Security Agency director Christopher Krebs and the White House National Security Council.

At this point, the message should be clear that anyone who installed a local Microsoft Exchange Server (2010, 2013, 2016, or 2019) needs to patch and scan, but we’re only beginning to understand the scope of the damage. Hackers reportedly installed malware that can let them right back into those servers again, and we don’t yet know what they might have already taken.

“We are undertaking a whole of government response to assess and address the impact,” reads part of an email from a White House official, according to Bloomberg.

Microsoft declined to comment about the timing of its patches and disclosures, pointing us to a previous statement instead: “We are working closely with the CISA, other government agencies, and security companies, to ensure we are providing the best possible guidance and mitigation for our customers. The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”

Update, 4:27PM ET: Added Microsoft’s decline to comment, and earlier statement.

Repost: Original Source and Author Link