A court-approved FBI operation was conducted to remove web shells from compromised US-based Microsoft Exchange servers without first notifying the servers’ owners. On March 2nd, Microsoft released a series of Microsoft Exchange security updates for vulnerabilities actively exploited by a hacking group known as HAFNIUM. vulnerabilities are collectively known as ProxyLogon and were used by threat actors in January and February to install web shells on compromised Exchange servers. These web shells provided remote access to the servers where threat actors used them to exfiltrate email and accounts credentials. Over the following weeks, government agencies released guidance, and Microsoft released a variety of scripts and tools to help victims determine if they had been compromised and remove web shells. Simultaneously, other threat actors began using the Microsoft Exchange vulnerabilities to install ransomware, cryptominers, and further web shells. FBI uses search warrant to remove web shells In a Department of Justice press release published today, the FBI states they used a search warrant to access the still-compromised Exchange servers, copy the web shell as evidence, and then remove the web shell from the server.