- ITDM 2025 전망 | “비전을 품은 기술 투자, 모두가 주춤한 시기에 진가 발휘할 것” 컬리 박성철 본부장
- 최형광 칼럼 | 2025 CES @혁신기술 리터러시
- The Model Context Protocol: Simplifying Building AI apps with Anthropic Claude Desktop and Docker | Docker
- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
FBI Removes Web Shells from Infected Exchange Servers
The US authorities sought a court order to remove web shells running on hundreds of Microsoft Exchange servers, following mass exploitation of vulnerabilities patched in March, it has emerged.
The Department of Justice (DoJ) announced the move yesterday, explaining that although system owners managed to remove thousands of malicious scripts from their infected servers, hundreds persisted.
Although the attacks started as early as January, one report claimed that as many as 30,000 US Exchange Server customers may have ultimately been impacted by the compromise, as various groups piled in once the bugs were made public a couple of months later.
Web shells were installed onto the infected machines to achieve a persistent backdoor for attackers to return to, and used to deploy additional malware such as ransomware and coin miners.
According to the DoJ, the FBI issued a command through each remaining web shell to the affected server, causing it to delete the offending script, which was identified by its unique file path.
However, the notice warned victims of the attacks that the court-authorized action did not extend to patching the Exchange Server vulnerabilities or finding and removing any additional malware or hacking tools that may have been placed on endpoints.
The FBI is currently in the process of contacting those whose machines it has scrubbed of web shells, either directly or via their ISP or other service provider.
However, Rick Holland, CISO at Digital Shadows, warned that the risk of reinfection is high for those who’ve so far been unable to remove their web shells.
“The speed with which the FBI conducts the victim notification is critical. The FBI only removed the web shells, not the software vulnerabilities themselves. Chinese actors will no doubt have already set up additional ways to maintain persistence in their victim networks. We will see a ‘gold rush’ of other malicious actors seeking to reinfect the unpatched Exchange servers,” he argued.
“The FBI notification process itself provides actors an opportunity to target new victims. Bad actors can set up a phishing lure that purports to be from a legitimate FBI address to social engineer their targets.”