YT$AW: FBI Cleans Up Exchange Servers, NSA Tips Microsoft 4 More Bugs

Your tax dollars at work: The FBI and NSA have been helping fix the mess caused by the recent Microsoft Exchange hacking, and trying to prevent a further round of it.

The FBI has been hacking hacked servers to tidy up after hackers. And the NSA has told Microsoft about four new vulnerabilities in its creaky, leaky email server software.

“We’re from the government, and we’re here to help.” In today’s SB Blogwatch, we’re careful what we wish for.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 4-minute atmosphere.

Feds Fix Fails

What’s the craic? Joseph Cox reports—“FBI Accesses Computers Around Country to Delete Microsoft Exchange Hacks”:

 The FBI was given approval to access hundreds of computers across the United States running … Exchange Server software to remove web shells left by hackers who had earlier penetrated the systems [and] to prevent further access to those machines by hackers. … The news shows some of the more proactive steps law enforcement may take when faced with large scale hacking operations.

The FBI also took evidence from the servers themselves. … The FBI is attempting to inform all owners of the impacted computers about the operation.

A spokesperson for Microsoft declined to comment.

Isn’t that rather unusual? Zack Whittaker adds—“FBI launches operation to remove backdoors”:

 It’s believed this is the first known case of the FBI effectively cleaning up private networks following a cyberattack. In 2016, the Supreme Court moved to allow U.S. judges to issue search and seizure warrants outside of their district. Critics opposed the move at the time, fearing the FBI could ask a friendly court to authorized cyber-operations for anywhere in the world. Other countries, [e.g.,] France, have used similar powers before to hijack a botnet and remotely shutting it down.

In March, Microsoft discovered a new China state-sponsored hacking group — Hafnium — targeting Exchange servers. … Microsoft fixed the vulnerabilities but the patches did not close the backdoors from the servers that had already been breached.

The number of infected servers dropped as patches were applied. But hundreds of Exchange servers remained vulnerable because the backdoors are difficult to find and eliminate, the Justice Department said.

But why does it need the FBI to fiddle about in private-sector servers? Lawrence Abrams explains—“FBI nuked web shells … without telling owners”:

 The FBI requested this warrant because they believed that the owners of the still-compromised web servers did not have the technical ability to remove them on their own and that the shells posed a significant risk to the victim. … As there was concern that notifying the owners of these servers could compromise the operation, the FBI requested that the warrant be sealed and that notification of the warrant be delayed until the operation was finished.

To clean the identified Microsoft Exchange servers, the FBI accessed the web shell using known passwords utilized by the threat actors, copied the web shell as evidence, and then executed a command to uninstall the web shell from the compromised server. [It] only removed web shells and did not apply security updates or remove any other malware that threat actors may have installed on the server.

Why do people feel uncomfortable about it? According to sreynolds, it sets a “dangerous precedent”:

 What next? Did they have a [look] at the email too? Maybe looking for some incriminating metadata. If you go through those email systems there is a lot of stuff there like drug testing reports, pricing info that you really want to be kept private.

Speaking of three-letter agencies, climb aboard the Brian Krebs cycle with me—“Microsoft Patch Tuesday”:

 Microsoft released updates to fix four more flaws in Exchange Server. … Interestingly, all four were reported by the U.S. National Security Agency. … A Microsoft blog post published along with today’s patches urges Exchange Server users to make patching their systems a top priority.

What the what? That’s a feeling shared by PolygamousRanchKid:

 How come I am thinking that this “patch” contains more NSA backdoors?

And by JWLong:

 Sounds like a bunch of old NSA backdoors got discovered and now they need the Feds to go around and plant new, unknown ones to maintain their status quo.

Why should the government help Microsoft? Voyager529 looks at it a different way:

 There’s more than one way to look at it. The NSA isn’t helping Microsoft, it’s helping the thousands of American taxpayers who manage Exchange servers, and the millions more American taxpayers who are employed by companies who utilize Exchange servers. Microsoft may have gotten the code and the ability to deploy it, but the patches help Microsoft customers more than the company itself.

If compromised Exchange servers are used for ransomware deployment, a certain number of companies will pay hackers hundreds of thousands of dollars. If allowed to wait until after a known vulnerability is being utilized, the down time for remediation can cost thousands or millions of dollars. If a vulnerability is exploited and compromised Exchange servers are used as a point of entry to then attack government institutions, the consequences of a successful attack could be devastating.

The NSA helping Microsoft get ahead of the curve so that patches can be deployed before a massively scripted exploit, rather than after … is, as far as I’m concerned, my tax dollars actually being used for something helpful.

Perhaps it should be up to ISPs? Lee D thinks that’s perfectly reasonable:

 I think this is perfectly reasonable. … While I agree that the responsibility should be your own, I see no reason with, say, permanently cutting off the Internet of infected machines at the ISP level until they are showing no more malicious traffic.

[If] you’re running a business mail server that’s known-compromised and hasn’t been patched in years, they just block your IP access and replace all HTTP pages with “Your network has been compromised, and as your ISP we have blocked your access. Contact us for information on how to resolve this block.” Maybe then people would wake up and fix their stuff in a timely manner.

Meanwhile, this Anonymous Coward is all for it, and has a message for the FBI and NSA:

 About time. Pro-tip: we like it when you work for us, and not against us.

And Finally:

It’s complicated

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Marco Verch (cc:by)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 435 posts and counting.See all posts by richi