(Updated 04/22/2021 to include court order)
For the last few months, we have seen Exchange Servers fall to vulnerabilities from the HAFNIUN attacks. Even after Microsoft released patches for the serious flaws, we continue to see attacks on Exchange Servers and hear of more Exchange Servers becoming compromised. This shouldn’t be news as many publications including our own have covered these vulnerabilities extensively. Additionally, Microsoft released their patches over a month ago. Yet in a recent report the FBI has found many compromised Exchange servers that still have various threat actor’s webshells installed.
Last week though, the FBI took it a step further. In a court-approved action, the FBI identified compromised servers, connected to the servers through the webshell, and removed the malicious webshell left behind by the original threat actors. We can easily criticize the administrators who have allowed their exchange servers to stay compromised for so long, but it doesn’t excuse the FBI from connecting into these exchange servers. They don’t need individual warrants to connect to these devices according to the previously sealed court document. This gives precedent for the FBI to access any server and make changes on these servers with just a blanket warrant. I see this as a clear violation of property rights. One could argue that the FBI helped fix the server, but property rights don’t have a stipulation that the government can access your property if they intend to help you. For example, if somebody put graffiti on the side of a business, the FBI does not have the right to cover over the graffiti without the owner’s permission.
Administrators choose their software based on the features and security it provides. A Microsoft Exchange Server and the host operating system protects the server from any unauthorized change. When we buy the software, we expect that only authorized users can make changes on the servers and unauthorized users cannot. This creates a requirement for explicit permission for access. If you must bypass the normal expected route to make changes on the Exchange Server, then you do not have explicit permission to make these changes from the owner. The FBI has performed similar attacks in the past with the Coreflood botnet. This time though, it looks like they connected directly into the Exchange Server to delete the webshell where in comparison they removed Coreflood by sending a command to delete itself from the command and control infrastructure they had previously taken over.
Ultimately the court did not agree with me and gave an excessively wide warrant to the FBI. They could have asked for a warrant to identify the owners of the servers, but they didn’t do this as far as we know. We have no way of knowing exactly how the FBI did this or what IP addresses they used.
The good news is, you can protect yourself from this happening to you by keeping your infrastructure secure in the first place. Protect your servers by ensuring they are updated. More importantly though, the FBI shouldn’t access servers they don’t own and haven’t actually committed a crime.
Adam Hawk says
While I normally advocate for respect to the property rights, in this specific case I agree with the court.
Let me explain my reasons.
Your analogy with the graffiti is valid and clear, I will use a different analogy.
If some criminals dump drums with chemicals on a side of my building, and I am unaware of their presence, unable or unwilling to remove them, and they may cause harm to other property owners and the community, authorities must have the right to enter my property, secure them and remove them.
I agree this creates a gray area that must be addressed. Blanket warrants should not be a norm. There’s also the possibility of researchers using infected servers to detect and identify new threats. The FBI “fixing” that server may ruin the research.
But we after more than 35 years on IT I can confidently tell you most of the administrators will never realize the FBI patched their servers, the same way they never realized they were vulnerable and compromised. And they were a threat to other organizations.
My father always told me my rights end where the rights of the other begin. Well, the rights of those business owners and system administrators end where the rights of the community begin.
Trevor Collins says
Thanks for the replay, and you bring up some valid points. The rights of an admin with a compromised server only extend so far.
I see a distinction between “unaware of their presence” and “unable or unwilling to remove them.” If an Exchange admin is unable to or unwilling to fix an issue, like the malicious webshell then the problem lies with the admin. law enforcement should step in for it. If the admin doesn’t know of the webshells presence, then law enforcement should have the right to contact this admin in any way necessary but not the right to access the server.
Lorenzo Fongaro says
I don’t agree at all that they could do something like this.
My computer is mine and only I have to be able to get my hands on it to solve problems.
The same goes for the servers I manage as well as for my privacy in general.
I live in Europe and I very much hope that the GDPR will be respected. Microsoft or who for you should have somehow informed IT administrators through some kind of press release as has been done in the past for other cases. After that, it’s the responsibility of IT administrators to apply what they need to do.
It is inadmissible that an outsider can administer a server or pc without the permission of the owner(s).
How can you intervene to solve a problem in the same way you can do it to do hacking or spying.
I can understand that this is done in a specific case, but we must always respect the fact that the right to privacy of each of us is collective and not individual.
I agree with you, Trevor.
However, while we argue about cops and robbers (and victims) MSFT gets another million new customers to sign up for M365 because Exchange has been compromised.
We can argue all day about blanket warrants (what’s even the point of a warrant then?) but there is a chance the villain (and winner) here is most likely MSFT
MSFT is not the villain. No software company writes perfect code. Just because people may move to O365 due to this doesn’t mean that MSFT did anything malicious.