Threat Watch

Operation to Remove Exchange Webshells Announced by Department of Justice

To mitigate the damage from the rapid exploitation of the ProxyLogon vulnerabilities in Microsoft Exchange servers, the FBI conducted a court-approved operation to remove webshells left by one of the threat actors who exploited exposed Exchange servers in the United States. In an affidavit, it states that because of the difficulty in finding and removing the webshells, it was unlikely that the administrators would find and remove them on their own. In the operation, the FBI would try known passwords used by the attackers to access the webshell, use the access to gather evidence, and then initiate an uninstall of the webshell. It should also be noted that during this time, the FBI only removed the webshells and did not patch any of the systems accessed, nor did they attempt to remove any other backdoors or malware left by other threat actors. The FBI is attempting to notify, via email, the owners of the servers that they accessed.


Time will tell how effective this operation will be, especially with many servers remaining unpatched. However, the FBI is in the process of notifying victims initially affected by the mass exploitation which had not yet identified and removed the attacker’s backdoor access. It is possible that some or all of those victims had applied the Exchange patch from Microsoft but still had a webshell from a previous exploitation before they patched. Ideally, the FBI or DHS should make notification of victims a priority and provide solid advice for companies to mitigate the threat and identify any other backdoors left on the system. For further information concerning this operation, the statement by the DOJ is linked below.