Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

The FBI's action to remove Web shells from compromised Microsoft Exchange Servers sparks a broader discussion about officials' response to cyberattacks.

Kelly Sheridan, Former Senior Editor, Dark Reading

May 5, 2021

11 Min Read
(Image: Kristina Blokhin via Adobe Stock)

Figure 1: (Image: Kristina Blokhin via Adobe Stock) (Image: Kristina Blokhin via Adobe Stock)

The FBI last month was authorized to remove malicious Web shells from machines running on-premises versions of Microsoft Exchange Server, a move that caught the eyes of cybersecurity pros and sparked a conversation about the government's role in responding to these attacks.

This operation, which specifically authorized the activity for email servers in the United States, was announced some six weeks after Microsoft disclosed critical Exchange Server vulnerabilities that have since been used to target thousands of networks around the world. An attacker could chain the flaws together to compromise an exposed server and steal data, among other actions. 

These infections commonly start with deploying a Web shell, which adversaries can later use to communicate with target machines and distribute files to infect them with additional malware. While many admins of target systems were able to successfully remove these Web shells from thousands of devices, others didn't. Web shells persisted, unmitigated, on some target servers.

They soon became the object of an FBI operation that removed the remaining Web shells of an early hacking group. The Web shells could have been used to "maintain and escalate persistent, unauthorized access to U.S. networks," the Justice Department wrote in a statement. Officials conducted the removal by issuing a command through the Web shell to the server, which was designed to cause the server to only delete the Web shell, as identified by its unique file path.

It's important to note that while the FBI copied and removed Web shells, it did not patch any of the vulnerabilities, nor did it search for or remove additional malware or hacking tools that may have been present on target servers. Officials said they were attempting to contact the owners and operators of infected machines following the operation; they did not give advance notice. 

The FBI has been involved in several operations against cybercrime. Officials most recently teamed up with global law enforcement agencies to bring down the Emotet botnet.

But this operation, in which the FBI was present on enterprise servers without owners' knowledge, caught the eyes of many. It feels different than law enforcement dismantling a botnet, which often involves tracking a command-and-control server that the bots communicate with, disrupting communication, and gaining control over it. 

"That's a nuanced difference, but it's a little different than the FBI specifically knowing endpoints that are compromised, remoting in, and deleting a Web shell," says Katie Nickels, threat intelligence director at Red Canary, who feels "pretty divided" about the operation. 

For Nickels, and for many defenders, it was difficult in early March to see many organizations compromised in the Exchange Server attacks. Security practitioners know there are teams that aren't current on security news and don't know to patch or detect Web shells, she explains. It's frustrating, as a defender, to know all these businesses are going to be compromised and not know about it. 

"Part of me as a defender is really happy that someone is trying to help these organizations remove a Web shell," she says. "Of course, there's the other side: What kind of precedent does this set, allowing law enforcement to go into a computer … what kind of precedent does that set for the future? When could these operations take actions in the future, and what could be the implications of that? That's the other side." 

"I feel squarely torn, and that's what I've heard from most people," Nickels adds. In the past few months, as the world learned about SolarWinds and the Exchange Server attacks, the security community has seen a growing disparity between organizations prepared to face these incidents and those that aren't — and a need to help lacking companies protect themselves. 

A Goal of Disrupting the Adversary
Law enforcement's role in cybercrime is an intricate matter because much of this has never been done before, legislation hasn't caught up with technology, and things move quickly, says Shawn Henry, president of CrowdStrike Services and former FBI executive assistant director. Employees in the private sector are often defending against trained military professionals.

"There's so many complexities there, and that's why these things are never easy," he says of navigating the myriad laws, issues, amendments, and ramifications of intervening. "If I [believe] the government's primary responsibility is to protect the citizens, I think that their role in a case like this is to disrupt infrastructure. That is an area that the government can have success in." 

The government's role in fighting crime is often focused on deterrence. In the physical world, this could mean seizing assets bought with stolen funds, bank accounts used to launder money, and warehouses and other facilities used to store and sell illicit products. Criminals can't operate in an environment where their infrastructure is destroyed, and their return-on-investment drops. 

Henry applies the same concept to cybersecurity, an area in which attackers "are operating with impunity" and often out of places where the host country can't be expected to intervene. 

"Therefore, US law enforcement needs to take action to try and disrupt infrastructure in areas where they can have a meaningful impact … to try and raise the cost to them, or to deny them the ability to carry out their actions," he says. Sanctions, such as those the US recently imposed on Russia in response to the SolarWinds intrusion, is one way of doing this. Disrupting a botnet, which prevents operators from launching denial-of-service attacks or sending spam, is another. 

In the case of the Exchange Server attacks, Henry continues, if law enforcement is operating within the confines of the law and applied the law within the boundaries it is allowed, this becomes a public policy issue.

On the legal front, the operation was conducted after a search and seizure warrant under Rule 41 of the Federal Rules of Criminal Procedure. Among other things, it lets law enforcement petition a judge for a warrant "to use remote access to search electronic storage media and to seize or copy electronically stored information" when investigating damage to protected computers. This warrant did not authorize "seizure of any tangible property," nor did it permit officials to seize or copy content from, or alter functionality of, electronic storage media. 

Uncertainty for the Future
While done legally, this operation goes beyond the scope of what law enforcement officials have previously done in response to cybercrime. Some experts disagree with the actions as they were taken; others wonder whether the operation should have gone farther in its defense. 

Dr. David Brumley, co-founder and CEO at ForAllSecure and Carnegie Mellon University professor of electrical and computer engineering, supports the idea of removing Web shells but questions whether the FBI should have done it. He sees the security community agreeing on the key ideas: a crime was being committed, and the Web shells were dangerous.

(Story continues on next page.)

(Continued from page 1)

"I think the agreement in the community is in cases like this [in which] we see these mass compromises, someone should be helping people fix these because not all enterprises can do it themselves — [and] by not doing it, they're endangering others," he says. "I think the main disagreement is whether the original compromise constitutes enough of a crime to warrant the FBI entering."

Brumley's concern is how this precedent could be used to pursue crime in the future. If someone compromises a personal computer and left behind a backdoor, could the FBI access the machine under the same conditions it used here? What if officials access a server because they believe there is illegal activity, but it turns out to be a more pedestrian crime?

"Is it going to turn into a slippery slope where we think the server is compromised so we can enter because that's evidence of a crime?" he says.

This case points to a need to centralize the computer security effort from the defense mission, Brumley says. Removing Web shells helps the Internet become more secure, but having the FBI do the task "is really breaking shaky ground, and we should rethink our approach to this."

Considering both sides of the matter, it's also interesting to note the FBI's decision to remove Web shells but not patch affected systems or remediate post-exploitation activity, says Nickels. Some security pros believe if the FBI is already on a system, why not deploy a patch? For law enforcement in this case, though, going beyond the Web shells is tricky. 

"I think the challenge is that post-exploitation activity can look so different," she says. One of the reasons why the Web shells were detectable is they followed a pattern: It was the same file name and same folder path, so it was easier to say with confidence that they were malicious. However, trying to learn what happened after a Web shell drops is harder.

"Those are unique investigations that will differ per victim, per endpoint, and per environment, and so I think that's where … thinking of the levels of risk for the FBI trying to do that investigation, at scale, I don't think would be sustainable." 

Public Private Collaboration: The Need for a Plan
A public-private partnership can help improve communication and information sharing after incidents such as the Exchange Server attacks. The problem is, there is often a gap between private sector defense and government offense, and not consistently much coordination between the two, Henry says. Over the years, there have been improvements in coordination and some successes; however, there remains a lot of work to be done.

"There have been successes, and I don't want to minimize the successes, but the reality is there have been so many more successes by the adversaries," he says. "And the successful deterrence, the successful attribution, the successful arrest, pale in comparison to what the adversaries have been able to do, and that is a function of public-private partnerships don't scale." There are one-off successes, but overall defenders are catching up and not in front. 

The solution, Henry believes, is building an infrastructure that allows for sharing of threat intel. 

When companies are breached, they collect artifacts and indicators that may lead to identifying the adversary behind an attack. If the public sector isn't allowed in, or those indicators are not shared, then they don't have access to intelligence that could help deter cybercriminals in the future.

How to bridge the gap? Public-private partnerships are often a topic of conversation among government executives, but nobody ever lays out a clear path to collaboration, he says, laying out three specific things the government should communicate to make this partnership work. 

"What is it you want from the private sector? Tell the private sector specifically," Henry says. If it wants malicious IP addresses; pieces of malware; indicators of tactics, techniques, and procedures; or other intelligence, the public sector must be clear about what it's looking for. And that's only the first step.

Next, the government must determine what it will do with that information when it gets that. How will the information be stored, handled, and secured? Who is the point of contact for that intelligence? Which agency handles it? If it's shared, where does it go? When people say "public-private partnership, share with us," what does that mean in terms of handling shared information? 

And finally, the public sector needs to explain how it will use the information and what the private sector can expect back. This must go beyond "give us all your data," Henry says. The government has to convey to organizations how they will analyze the data to inform strategies.

"I'm simplifying it, of course," says Henry of the foundation for a public-private partnership. "But we've had 20 years to address the problem and I still hear 'we need a public-private partnership.' And I agree."

At a time when foreign governments have remote access tools in the US power grid and are launching large-scale campaigns targeting US devices, the implications and risks of malicious activity are high. There must be accountability for, and review of, the government's actions and now is a good time for private citizens to question and start a discussion around it. 

Henry will join other security practitioners and former public officials in an upcoming RSA Conference talk, "Total Security: Investigative Perspectives from Public to Private Sector," to discuss how their experiences in counterintelligence and counterterrorism have informed their security practices.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights