To mitigate the damage from the rapid exploitation of the ProxyLogon vulnerabilities in Microsoft Exchange servers, the FBI conducted a court-approved operation to remove webshells left by one of the threat actors who exploited exposed Exchange servers in the United States. In an affidavit, it states that because of the difficulty in finding and removing the webshells, it was unlikely that the administrators would find and remove them on their own. In the operation, the FBI would try known passwords used by the attackers to access the webshell, use the access to gather evidence, and then initiate an uninstall of the webshell. It should also be noted that during this time, the FBI only removed the webshells and did not patch any of the systems accessed, nor did they attempt to remove any other backdoors or malware left by other threat actors. The FBI is attempting to notify, via email, the owners of the servers that they accessed.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is