Skip to content

Ep 33 FBI remotely hacking servers

33. The FBI is remotely hacking hundreds of servers or Why Hello, I didn’t see you there...

The FBI is remotely hacking hundreds of computers to protect them from Hafnium- https://www.theverge.com/2021/4/13/22382821/fbi-doj-hafnium-remote-access-removal-hack

The FBI got a court order to delete backdoors from hacked Exchange servers

https://www.engadget.com/fbi-hafnium-exchange-server-060721872.html

USB our Guest - Microsoft Server Exchange Hack

https://anchor.fm/usbog/episodes/Microsoft-Server-Exchange-Hack-ets89n

Hello and welcome back to USB our Guest Cyber Security tips. I’m Theo, here to help you demystify cyber security topics and hacks. Today’s episode covers the FBI’s Unprecedented helpful remote hacking of Hafnium infected servers. I’ve included 2 articles and a court document in the show notes. The articles from the Verge and Engaget cover the beginning of the FBI’s attempt to mitigate Hafnium’s Hack. Also I just did an episode on the Microsoft exchange server hack, I’ll include it in the show notes or scroll up or down to get to it.

Much like the WannaCrypt/WannaCry Ransomware attack from 2017 where Marcus Hutchins ingeniously registered the domain that the virus was checking to identify if it were in a honeypot thus creating a kill switch for the virus. The FBI ingeniously took from what was available to them and Purple Teamed the heck out of infected servers.

So quick review, at the beginning of the year the hackers from Hafnium were exploiting a vulnerability in Microsoft exchange servers. Microsoft released a patch and a majority of servers were updated. However, At the beginning of March there were still thousands of servers still unpatched and vulnerable and a portion of those most likely have Hafnium or other attacker’s web shells installed on them. What’s a web shell? A script used to allow an attacker remote access after the initial compromise.

Cue the good guys. The FBI decided to start removing the bad guy’s Web Shells themselves. How, may be your first question. First, they got a court order to do so, citing that the still vulnerable server’s admins may have difficulty finding and removing the shells. According to Engadget, they received permission on April 9th to run the operation for 14days. Then, they used the vulnerability found by Hafnium to access still vulnerable servers and remove the web shells. After the FBI completed their operations they started notifying server owners of the success.

I don’t normally do this but I’m on the fence with this move by the FBI.

On one side of the coin, I’m glad that the US government is going after the bad guys and disrupting their plans. Any time black hat hackers are successful with an attack or receive a ransomware payment, it encourages other bad guys to do the same thing and entices others to participate in the illegal activity. However, when the bad guys' plans are foiled it discourages the activity.

On the other side of the coin, I’m concerned with the precedent that this activity sets. This is an unprecedented move by the FBI. I don’t recall ever hearing of a government entity going to these lengths to disrupt a hacker group's activity. My initial thought was, Microsoft created and released the patch to fix the vulnerability. This is out of my scope but couldn’t they have sent a notification stating that if not fixed within a certain time frame that they would push an update to Windows defender to apply the fix?

I’m interested to see what happens next. What future breach will the FBI consider remotely accessing systems again?

That's all for today's episode. If you have a topic you would like me to cover drop me a line at anchor.fm/usbog or email me at usbourguest@gmail.com. If I've helped you in any way please consider telling friends or family about the podcast. Or rate and review the podcast on whatever platform you use to listen. Thank you for listening and have a great day.