FBI Removes Malicious Web Shells From Microsoft Exchange Servers

Malicious Web Shells
Share It On:

23 April 2021, Kathmandu

Federal law enforcement, toting a court order, excised malicious web shells from hundreds of exposed servers in the U.S. compromised by the fleecing of zero-day flaws in Microsoft Exchange Server carried out at the year’s outset by a Chinese-backed hacking syndicate.

  • Note: A web shell is a malicious code written in typical web development programming languages that hackers implant on web servers for remote access and to run commands on servers to remain in an infected organization’s network. Attackers install web shells on servers by exploiting security gaps.
  • Recap: In the first two months of 2021, the Hafnium China-sponsored syndicate exploited zero-day vulnerabilities in Microsoft Exchange Server to access email accounts and place web shells that allowed the hackers to persist in victims’ networks. Other hacking groups have subsequently attacked these vulnerabilities to install web shells on thousands of victim computers in the U.S.

While Justice Department officials acknowledged that “many infected system owners” had successfully removed the web shells from thousands of computers, many systems infiltrated by the malicious code remained. The Federal Bureau of Investigation (FBI) conducted an operation to remove the web shells by executing a command through the web shell to the server through which the server deleted only the web shell as identified by its unique file path.

The Department of Justice (DoJ) said that many IT admins have since cleansed their systems of the malicious web shells, which were used for backdoor access to the servers. However, other systems “persisted unmitigated”, which is where the operation came in.

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” said the DoJ. In the meantime, the Bureau is contacting the owners of the computers that they accessed to notify them of the removal of the malware.


Share It On:

Recent Posts

Liberty Energy Rights Shares Offering: Eligibility, Application Process, and Future Plans

Liberty Energy Rights Shares Offering: Eligibility, Application Process, and Future

Share It On:22nd November 2024, Kathmandu Liberty Energy Company Limited is gearing up to issue rights shares starting December 1,

Asha Laghubitta’s 8th AGM 2024: Key Decisions and Future Plans

Asha Laghubitta’s 8th AGM 2024: Key Decisions and Future Plans

Share It On:22nd November 2024, Kathmandu Asha Laghubitta Bittiya Sanstha is holding its 8th Annual General Meeting (AGM) today, November

6th Asian Population Conference 2024 in Nepal: Advancing Sexual and Reproductive Health Policies

6th Asian Population Conference 2024 in Nepal: Advancing Sexual and

Share It On: 21st November, Kathmandu Nepal is set to host the 6th Asian Population Conference from November 27 to

Kumari Bank Promoter Share Sale: Eligibility, Application Process, and Price

Kumari Bank Promoter Share Sale: Eligibility, Application Process, and Price

Share It On:21st November, Kathmandu Kumari Bank Limited has officially declared its intention to sell a substantial number of promoter

Up to NPR 150 Cashback on Nepal Telecom and Ncell Services with Namaste Pay

Up to NPR 150 Cashback on Nepal Telecom and Ncell

Share It On:21st November, Kathmandu Namaste Pay has unveiled an exciting new campaign to reward its users with cashback on

Ncell introduces innovative feature, enabling customers to convert voice to data or data to voice services

Ncell introduces innovative feature, enabling customers to convert voice to

Share It On:21st November, Kathmandu Ncell customers can enjoy an innovative feature that allows them to convert or exchange remaining