<Exploring the FBI's Groundbreaking Operation Against Web Shells>
Written on
This article serves as Part 1 of a two-part series that delves into the FBI's significant operation in April 2021 aimed at eradicating harmful web shells from numerous systems under a court mandate.
On April 13, 2021, a pivotal moment in U.S. cybersecurity was unveiled. The Department of Justice (DOJ) revealed a "Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities," outlining an FBI initiative to eliminate harmful files from public email systems. The operation actually began on April 9, 2021, as indicated by the documents provided. The DOJ's announcement suggests that the initiative has reached a successful conclusion.
For further details, you can view a copy of the DOJ's announcement here, along with the full unsealed (though somewhat redacted) court documents available here.
At a glance, this operation enabled the FBI to:
- Connect to “hundreds” of compromised computers across the United States and access identified web shells,
- Make copies of these shells, and
- Remove them from the affected systems.
This event may establish an intriguing precedent regarding how the U.S. government responds to cybersecurity vulnerabilities. Many perspectives on this issue have been shared, and I aim to clarify my understanding of the provided documents. I will cover the following key questions:
- What motivates the U.S. government to take this action?
- How does the FBI execute this operation?
- What specific actions is the FBI undertaking?
- Did they access my systems?
- What insights can we derive from this operation regarding cyber threat intelligence (CTI)?
- What steps should we take moving forward?
> In this two-part series, I will address three questions in each installment. There’s a possibility I may not cover every important detail, so please feel free to comment or connect with me on Twitter for further discussion!
What motivates the U.S. government?
The impetus behind this operation stems from a series of vulnerabilities in Microsoft Exchange Server that were disclosed in March 2021. These vulnerabilities affected specific on-premises versions of Exchange Server, impacting a broad range of organizations, from large corporations to small family-run businesses. (I recently discussed the effects on small to medium enterprises in a podcast, and I will share the link once available.)
In my view, the extensive impact of these vulnerabilities is the key factor driving the government's intervention. The widespread nature of these issues prompted the authorities to step in and eliminate malicious files from certain systems (more on this later). Additionally, in the affidavit supporting this operation, the FBI highlighted a long-standing challenge in cybersecurity: incident clean-up is notoriously difficult.
The above figure illustrates the FBI's belief that many victims may lack the technical knowledge needed for effective clean-up. Moreover, I would argue that a significant number of victims may not even realize they have been compromised — even as of the writing of this article (almost a month and a half after the vulnerabilities were revealed).
This acknowledgment from the FBI is crucial as it points out two "residuals" from a widespread attack:
- Given the publicity and awareness around these vulnerabilities, the passwords for the malicious web shells are widely known. An attacker only needs to ascertain the presence of a shell and can then attempt a relatively simple password list. Even more concerning — in some cases, passwords and file names are consistently linked. (Note: The FBI has redacted certain sections of the affidavit to prevent this from happening.)
- There exists a subset of impacted organizations, often small to medium-sized businesses, that are oblivious to their compromised status and lack the technical resources to address it. In simple terms: They are compromised and unaware. However, attackers are aware or will become aware in the future.
This ongoing cybersecurity dilemma arises when organizations maintain systems and software (such as an email server, blog, website, etc.) with minimal technical expertise. These systems often remain unpatched for extended periods — days, weeks, months, or even years — leading to vulnerabilities that attackers exploit.
But why target a small business?
You might wonder why an attacker would want to exploit a vulnerable system belonging to a small business with no apparent connection to their objectives. The key lies in geolocation and exploiting trust.
Consider the following scenario (These examples are basic but still effective in 2021):
The above illustration depicts a foreign attacker trying to infiltrate a U.S.-based organization. Basic perimeter security can recognize and block untrusted or unfamiliar connections. However, attackers often seek to find a way to operate from a "trusted" country. Let’s enhance the previous illustration by adding an additional endpoint:
This illustration shows that the attacker can utilize a compromised system to appear as though they are operating from a U.S.-based IP address, which perimeter security may automatically allow. Who would grant access to an attacker? No one. Typically, attackers scour the Internet for low-tier compromised systems (like an email or blog server or a simple self-hosted website), take control of them, and use them as a “jump point” to execute attacks on foreign entities.
How does the FBI execute this operation?
The mechanism of this operation is critical and warrants close observation. It is grounded in legal principles while providing insight into how the government formulated its approach.
The execution process can be broken down into two key components:
- How does the government establish jurisdiction over these systems?
- How does the government determine a system falls under its authority?
Jurisdiction
The authority for issuing this search warrant derives from the Federal Rule of Criminal Procedure, Rule 41(b)(6)(B) (Citation: Fed. R. Crim. P. 41(b)(6)(B), Link: Cornell Law). Below is a screenshot illustrating this rule:
This rule essentially states that if a violation of U.S. Code 1030(a)(5) occurs in five or more districts, any judge with authority can issue a remote search and seizure/copy warrant for electronic information. What does this U.S. Code entail? Refer to the screenshot below:
Let’s break this down simply:
- If an attacker accesses a computer without permission, sends a command, or uploads malware, they have breached this code. This also applies if an attacker causes damage or loss to the system.
- If such activity happens in five or more districts, a magistrate judge can issue a warrant to access these systems for remote search and seizure or copying.
In the affidavit, the FBI mentions several districts affected by these vulnerabilities (though this list is not exhaustive):
This leads us to a crucial question: What constitutes a protected computer?
A “Protected Computer”
Further down in the U.S. Code, a “protected computer” is defined as follows:
Here, things get intriguing. The FBI affidavit explicitly references (2)(B), highlighting systems used in or affecting interstate or foreign commerce or communication. I believe these terms are quite broad (as some statutory language tends to be). Moreover, classifications 2(A) and 2(C) could easily apply to certain breaches we’ve witnessed in the past.
It’s easy to identify a company or set of computers that would fit these classifications. For instance, a ransomware attack on a national (or global) company would easily qualify under similar language.
I’m left with a significant question: Does utilizing this authority, under this language, pave the way for future FBI interventions in removing attacker artifacts?
Yesterday, on April 13, 2021, Microsoft disclosed new vulnerabilities in Exchange. Should we expect to see a recurrence of this type of action from the U.S. government?
What specific actions is the FBI taking?
The operation outlines precisely what the FBI is doing, with Attachment B providing the most clarity:
The FBI is leveraging the authority of this warrant to:
- Connect to systems remotely,
- Access known web shells,
- Retrieve copies of the web shells, and
- Eliminate the web shells.
I appreciate that the affidavit clarifies that no physical property will be seized and that the operation is strictly limited to the web shells in question.
To address some concerns: No, the FBI is not accessing your systems and extracting all data for storage. The scope of the warrant is confined.
To be continued…
In the upcoming post, I will tackle the remaining three questions mentioned earlier. I aim to focus on the implications of the specific systems the FBI targeted, what that signifies for CTI analysts, and the actions we should take next.
Part 2 will be available tomorrow. Stay tuned for updates!