- Federal authorities conducted a coordinated operation to eliminate the remnants of the nation-state attack against Microsoft Exchange server by removing malicious web shells from hundreds of computers across the country, the U.S. Justice Department announced Tuesday.
- The FBI launched the court-authorized operation to remove the web shells, which lingered on computer systems where system owners were either unable or otherwise failed to mitigate the attack. The effort was part of a partnership between the Biden administration and the private sector to deliver a coordinated response to a sophisticated cyber campaign that Microsoft traced to a threat actor called Hafnium.
- "Today's court-authorized removal of the malicious web shells demonstrates the Department's commitment to disrupt hacking activity using all of our legal tools, not just prosecutions," said Assistant Attorney General John Demers, of the DOJ's National Security Division, in a statement. "Combined with the private sector's and other government agencies' efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country's cybersecurity."
The coordinated response to take down the remnants of the Microsoft Exchange server attack indicates how serious the Biden administration is working to engage the private sector community to combat the rising threat of cybercrime and nation-state activity, according to industry officials.
"I fully expect the Biden administration to take a more proactive cyber defense stance than any previous administration," Kyle Hanslovan, co-founder and CEO of Huntress said via email.
The administration ordered all federal agencies to immediately patch all Exchange servers and urged private sector owners and operators to do the same, according to a statement from Anne Neuberger, deputy national security adviser for cyber and emerging technologies.
The National Security Agency recently alerted Microsoft of additional vulnerabilities related to Exchange server, which resulted in the release of several security updates Tuesday.
"Cybersecurity is national security," said Rob Joyce, director of cybersecurity at the NSA, in a statement. "Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors. Don't give them the opportunity to exploit this vulnerability on your system."
Microsoft officials said they had not seen the vulnerabilities exploited in the wild, but given the unprecedented attacks on Exchange in recent months, decided to release the patch in order to protect customers from further attack.
"Customers who have already installed the updates released on April 13, 2021, are already protected against these vulnerabilities," a spokesperson for Microsoft said via email.
Security researchers said the newly discovered vulnerabilities were among the most serious of any discovered since the attack was initially disclosed in March. Tens of thousands of vulnerable systems were impacted in the U.S. alone, and criminal cyber actors took advantage of the attack to exfiltrate data and launch ransomware attacks against a variety of private businesses, government agencies and other entities.
"The characteristics of the Microsoft Exchange vulnerability defined in CVE-2021-28481 are of the most dangerous combination," Charles Herring, co-founder and CTO at WitFoo, said via email. "The exploit can be executed over the network against ports that are commonly publicly exposed without the need for credentials and allow the attacker to execute code on the vulnerable servers."
Herring warned that when Microsoft issues a bulletin, criminal actors will move rapidly to develop attack toolkits that are designed to steal data, degrade computer systems and extort funds using ransomware.
"It is critical that vulnerable organizations move faster than the adversaries weaponizing the exploit," he said.