FBI Operation Remotely Removes Web Shells From Exchange Servers

A court order authorized the FBI to remove malicious Web shells from hundreds of vulnerable machines running on-premises Exchange Server.

A court order has authorized an FBI operation to remove Web shells deployed on machines running on-premises versions of Microsoft Exchange Server, the Justice Department reports.
As part of the operation, which authorized the activity for email servers in the United States, the FBI copied and removed one early hacking groups remaining web shells from affected targets. The Web shells could have been used to maintain and increase unauthorized access to networks if left on the compromised machine, say officials, who call the operation successful.
News of the operation arrives roughly six weeks after Microsoft disclosed critical Exchange Server flaws that have since been used to target thousands of networks around the world. An attacker could leverage the vulnerabilities to break into an unpatched server and steal its data.
At the time it released patches, Microsoft identified one group behind the activity as Hafnium, a state-sponsored group operating out of China. However, many more groups have also begun to use these vulnerabilities to deploy
ransomware
or
cryptomining
attacks, among other activity.
Many organizations
rushed to patch
the bugs: On March 24, Microsoft
reported
92% of global Exchange IPs had been patched. But while applying a patch will prevent future compromise, it wont remove malicious code already present on a machine. Court documents unsealed today cite open source reporting that states there may be at least 60,000 global Microsoft customers whose Exchange Servers were compromised using the vulnerabilities.
These attacks often start with
deploying a Web shell
, which attackers can use to communicate with target machines and distribute files to infect them with additional malware. A public scan revealed Web shells were still present on target servers. The court did not disclose an exact numbers; however, a Justice Department
release
published this week says hundreds of Web shells persisted unmitigated on computers in the US and likely wouldnt be removed.
Based on my training and experience, most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because the victims lack the technical ability to remove them on their own, an FBI special agent (name redacted) wrote in the
warrant application
.
The warrant granted the FBI authorization to search compromised Microsoft Exchange Servers and uninstall the Web shells present on them to prevent further attack activity.
In the court documents, officials explain that FBI personnel accessed the Web shells, entered passwords, made a copy of the Web shell, and then issued a command through each of the Web shells to the servers, instructing them to delete the Web shell from the target computer. In a test process, the command deleted a Web shell but didnt affect other files or services on a device. Officials note this process also did not patch any of the Exchange Server zero-days.
Although todays operation was successful in copying and removing those web shells, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting web shells, the statement says.
The FBI is now attempting to contact owners or operators of the machines from which it removed malicious Web shells. Those with publicly available contact information will receive an email message from an official FBI.gov email address. For those whose contact data is not public, the FBI will attempt to contact providers to provide notice.
Attacks targeting the Exchange Server vulnerabilities are ongoing, posing a significant
challenge to defenders
. Officials encourage admins to review Microsofts remediation guidance for more details on detection, remediation, and patching.
News of the FBI operation arrives one day after
Microsoft patched
four more critical Microsoft Exchange Server vulnerabilities. All of these were discovered by the National Security Agency and affect Exchange Server versions 2013 through 2019. Two have a CVSS score of 9.8, higher than those of the zero-day vulnerabilities patched last month, and have a network attack vector, meaning they likely are wormable — at least between Exchange Servers.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
FBI Operation Remotely Removes Web Shells From Exchange Servers