{"id":2194,"date":"2021-04-14T11:06:35","date_gmt":"2021-04-14T09:06:35","guid":{"rendered":"https:\/\/www.apvnorge.no\/?p=2194"},"modified":"2021-04-14T11:06:37","modified_gmt":"2021-04-14T09:06:37","slug":"fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners","status":"publish","type":"post","link":"https:\/\/www.apvnorge.no\/cz\/fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners\/","title":{"rendered":"FBI nuked web shells from hacked Exchange Servers without telling owners"},"content":{"rendered":"<div id=\"apvno-1656555468\" class=\"apvno-before-content apvno-entity-placement\"><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-7003427967427457\" crossorigin=\"anonymous\"><\/script><ins class=\"adsbygoogle\" style=\"display:inline-block;width:970px;height:250px;\" \ndata-ad-client=\"ca-pub-7003427967427457\" \ndata-ad-slot=\"6272152047\"><\/ins> \n<script> \n(adsbygoogle = window.adsbygoogle || []).push({}); \n<\/script>\n<\/div>\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-justify has-black-color has-cyan-bluish-gray-background-color has-text-color has-background\">A\u00a0court-approved FBI operation was conducted to remove web shells from compromised US-based Microsoft Exchange servers without first notifying the servers&#8217;\u00a0owners. On March 2nd, Microsoft\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-fixes-actively-exploited-exchange-zero-day-bugs-patch-now\/\" target=\"_blank\">released a series of Microsoft Exchange security updates<\/a>\u00a0for vulnerabilities actively exploited by a hacking group known as HAFNIUM. <a rel=\"noreferrer noopener\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/the-microsoft-exchange-hacks-how-they-started-and-where-we-are\/\" target=\"_blank\">vulnerabilities are collectively known as ProxyLogon<\/a> and were used by threat actors in January and February to install web shells on compromised Exchange servers. These web shells provided remote access to the servers where threat actors used them to exfiltrate email and accounts credentials. Over the following weeks, government agencies released guidance, and Microsoft released a variety of\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-releases-one-click-exchange-on-premises-mitigation-tool\/\" target=\"_blank\">scripts<\/a>\u00a0and <a rel=\"noreferrer noopener\" href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-releases-one-click-exchange-on-premises-mitigation-tool\/\" target=\"_blank\">tools<\/a> to help victims determine if they had been compromised and remove web shells. Simultaneously, other threat actors began using the Microsoft Exchange vulnerabilities to install\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits\/\" target=\"_blank\">ransomware<\/a>,\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-exchange-exploits-now-used-by-cryptomining-malware\/\" target=\"_blank\">cryptominers<\/a>, and\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/more-hacking-groups-join-microsoft-exchange-attack-frenzy\/\" target=\"_blank\">further web shells<\/a>. FBI uses search warrant to remove web shells In a Department of Justice press release published today, the FBI states they used a search warrant to access the still-compromised Exchange servers, copy the web shell as evidence, and then remove the web shell from the server.<\/p>\n\n\n\n<p class=\"has-black-color has-pale-cyan-blue-background-color has-text-color has-background\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners\/\"><strong>https:\/\/www.bleepingcomputer.com\/news\/security\/fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners\/<\/strong><\/a><\/p>\n<div id=\"apvno-1034544219\" class=\"apvno-after apvno-entity-placement\"><script>\r\n_adsys_id = 33949;\r\n_adsys_size = 1;\r\n<\/script>\r\n<script src=\"https:\/\/d.wedosas.net\/d.js\"><\/script>    \r\n<\/br>\r\n<div>\r\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script>\r\n<!-- AD-4 -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:inline-block;width:970px;height:250px\"\r\n     data-ad-client=\"ca-pub-7003427967427457\"\r\n     data-ad-slot=\"6272152047\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script><\/div>\r\n<a href=\"https:\/\/affiliates.ssl.com\/820-3-1-13.html\" target=\"_blank\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" style=\"border:0px\" src=\"https:\/\/i0.wp.com\/affiliates.ssl.com\/media\/banners\/SSL-banner-UC-certificate-2-v5.png?resize=640%2C79&#038;ssl=1\" width=\"640\" height=\"79\" alt=\"Microsoft Exchange SAN UCC SSL\"><\/a><\/div>","protected":false},"excerpt":{"rendered":"<p>A\u00a0court-approved FBI operation was conducted to remove web shells from compromised US-based Microsoft Exchange servers without first notifying the servers&#8217;\u00a0owners. On March 2nd, Microsoft\u00a0released a series of Microsoft Exchange security updates\u00a0for vulnerabilities actively exploited by a hacking group known as HAFNIUM. vulnerabilities are collectively known as ProxyLogon and were used by threat actors in January [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2124,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[44,7],"tags":[],"class_list":["post-2194","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers","category-ms-windows"],"translation":{"provider":"WPGlobus","version":"3.0.2","language":"cz","enabled_languages":["en","no","cz"],"languages":{"en":{"title":true,"content":true,"excerpt":false},"no":{"title":false,"content":false,"excerpt":false},"cz":{"title":false,"content":false,"excerpt":false}}},"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.apvnorge.no\/wp-content\/uploads\/2021\/02\/images.jpg?fit=275%2C183&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9T0bk-zo","jetpack-related-posts":[],"jetpack_likes_enabled":true,"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/posts\/2194","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/comments?post=2194"}],"version-history":[{"count":1,"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/posts\/2194\/revisions"}],"predecessor-version":[{"id":2195,"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/posts\/2194\/revisions\/2195"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/media\/2124"}],"wp:attachment":[{"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/media?parent=2194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/categories?post=2194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.apvnorge.no\/cz\/wp-json\/wp\/v2\/tags?post=2194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}