fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

FBI Nuked Web Shells From Hacked Exchange Servers Without Telling Owners

FBI Nuked Web Shells From Hacked Exchange Servers Without Telling Owners

A court-approved FBI operation was conducted to remove web shells from compromised US-based Microsoft Exchange servers without first notifying the servers’ owners.

On March 2nd, Microsoft released a series of Microsoft Exchange security updates for vulnerabilities actively exploited by a hacking group known as HAFNIUM.

These vulnerabilities are collectively known as ProxyLogon and were used by threat actors in January and February to install web shells on compromised Exchange servers. These web shells provided remote access to the servers where threat actors used them to exfiltrate email and accounts credentials.

Over the following weeks, government agencies released guidance, and Microsoft released a variety of scripts and tools to help victims determine if they had been compromised and remove web shells.

Simultaneously, other threat actors began using the Microsoft Exchange vulnerabilities to install ransomwarecryptominers, and further web shells.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

FBI uses search warrant to remove web shells

In a Department of Justice press release published today, the FBI states they used a search warrant to access the still-compromised Exchange servers, copy the web shell as evidence, and then remove the web shell from the server.

The FBI requested this warrant because they believed that the owners of the still-compromised web servers did not have the technical ability to remove them on their own and that the shells posed a significant risk to the victim.

“Based on my training and experience, most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own,” the FBI stated in an affidavit in support of a search warrant.

As there was concern that notifying the owners of these servers could compromise the operation, the FBI requested that the warrant be sealed and that notification of the warrant be delayed until the operation was finished.

“Accordingly, the United States requests approval from the Court to delay notification until May 9, 2021, 30 days from the first possible date of execution on April 9, 2021, or until the FBI determines that there is no longer need for delayed notice, whichever is sooner,” the affidavit requested.

They further requested permission to search at any time of the day to avoid detection by threat actors.

“Because accessing such computers at all times will allow the government to minimize the likelihood of the actors’ detection and deployment of countermeasures that could frustrate the authorized search, good cause exists to permit the execution of the requested warrant at any time in the day or night,” states the affidavit.

To clean the identified Microsoft Exchange servers, the FBI accessed the web shell using known passwords utilized by the threat actors, copied the web shell as evidence, and then executed a command to uninstall the web shell from the compromised server.

“FBI personnel will access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each of the approximately web shells to the servers to delete the web shells themselves,” the FBI explained in the affidavit.

Command to remove web shells from compromised Exchange Servers
Command to remove web shells from compromised Exchange Servers

A court in Houston granted the search warrant on April 9th and permitted the FBI to remove web shells from the listed Exchange Server over the next 14 days. The court also allowed the FBI to delay providing notice to the Exchange Servers’ owners being searched.

Also Read: Data Protection Officer Singapore | 10 FAQs

Court approval of search warrant
Court approval of search warrant

The DOJ press release states that the FBI operation was successful and that they could remove hundreds of web shells from compromised US Exchange Servers.

However, the FBI states that the operation only removed web shells and did not apply security updates or remove any other malware that threat actors may have installed on the server.

The FBI is now in the process of notifying victims whose Exchange servers were accessed during the operation. The FBI will send these notifications via email from an official FBI.gov email account, or if contact information is not available, by using a service provider (ISP) to contact the victim.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us