Saryu Nayyar, CEO, Gurucul | Enterprisesecuritymag.com »
It has recently been reported that the FBI, under federal court order, remotely accessed U.S.-based organizations’ Microsoft Exchange Servers without their knowledge or permission. These devices were all compromised by malicious shell files that would allow a bad actor to control the servers from afar. One of the actions taken by FBI cybersecurity experts was to remove those files.
At first blush, this unprecedented action by the FBI seems a bit shocking—somewhat of an overreach by a government agency. At least, that was my first thought, and the same for many others who called this a dangerous “slippery slope.” The gist seems to be, if we allow the FBI to take this action – even under court order – then what is to stop them from rummaging around in private companies’ servers anytime they want? Does the FBI intend to become the last line of security support for non-governmental organizations?
The news stories may have left the impression that the FBI went into these private companies’ servers to clean out the malicious files and protect them from further harm. That’s not exactly the case. Like any other news story these days, you need to go deeper than the headlines and the cursory story presented to the public. I went to the source: the FBI’s application for the search warrant.
What Prompted the FBI to Take Action?
In early March 2021, Microsoft published a report outlining a series of Exchange Server intrusions stemming from a zero day vulnerability in the software. Microsoft identified a group of state-sponsored actors dubbed HAFNIUM operating out of China as the ones behind the intrusions. These actors installed unauthorized web shells that enabled remote control of the servers. Initially, the targets were high value intelligence organizations in the U.S. They were followed by indiscriminate attacks on other companies. Once Microsoft published information about the vulnerability, other malicious actors used it to hack into servers and target even more victims.
Not only did Microsoft warn customers about the vulnerability and the need to update the servers and remove malicious files, but the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) also conducted a public awareness campaign. However, many organizations didn’t heed the warnings. Speculation is that these server owners either couldn’t find the files to remove them or they don’t have the technical resources or expertise to do it themselves. As long as the shell files remained on the servers, the hackers could control the devices, posing a risk to those companies and the organizations they do business with.
At this point a cybersecurity expert within the FBI applied for the search warrant to go into the still-compromised servers and seize and copy and then delete the shell files. However, the reason for doing so is not so much to clean and protect the servers but more so to collect digital evidence of the malicious intrusions.
Evidence is Needed to Prove a Crime
It seems that every few years we read about a massive government-led take-down effort that puts a hacking group out of commission. (See https://www.fbi.gov/news/stories/members-of-bayrob-romanian-hacking-group-sentenced-022020 as an example.) There might be arrests or criminal charges, depending on whether the perpetrators are outside the reach of U.S. laws. Or look at the recent conclusion that Russian state-sponsored hackers attempted to influence the 2020 U.S. elections. This latter case resulted in additional U.S. sanctions against the Russian government.
These kinds of cases require evidence—irreputable proof that the accused perpetrators were inside the compromised systems and performed some sort of activity (like leaving behind malicious files) that can cause real harm. What’s more, the evidence must be collected and preserved with the proper methods and chain of custody.
This was the intention of the FBI as it went into those Exchange Servers. Under the authority of federal courts, trained agents surreptitiously went into privately owned servers, collected their evidence, and then deleted the harmful files. And if we can believe the search warrant, this is all they did.
This means the servers are still vulnerable because no one has yet patched them. That is up to the servers’ owners. It always was and still is their responsibility to patch their servers and protect their own interests, and they should do this now.
The FBI is notifying these companies that agents were on their systems. They are doing so after the fact rather than before so as not to tip off the perpetrators, who could conceivably remove or hide their files so they wouldn’t be found.
The Right Action for the Right Reason
So before everyone yells “government overreach!”, we have to consider, do we want the FBI to catch and take down cyber criminals? Yes, we do, so we have to give them the ability to collect the critical evidence needed under U.S. law to prove a criminal case. Was the FBI right on going into private servers without the owners’ knowledge or permission? Under these circumstances, I think they were.
And finally, as the CEO of a cybersecurity company, I must advise all server owners or managers to keep up to date with their security patches. It’s the best way to reduce risk of harm due to cyber-attack.