FBI Flexes Rule 41 Powers, Uses Remote Access Technique To Neutralize Compromised Software All Over The US
from the computers-on-blast dept
Great news, everyone! The FBI has been fighting a cyberwar on your behalf… perhaps utilizing your own computer. Here's Zack Whittaker with some details:
A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.
The Justice Department announced the operation on Tuesday, which it described as “successful.”
Hundreds of computers have been accessed by the FBI under the theory that these beneficiaries of government tech largesse won't complain too much about the FBI's (however brief) intrusion. This is the DOJ's official coat of gloss:
Authorities have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service.
Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place web shells for continued access. Web shells are pieces of code or scripts that enable remote administration. Other hacking groups followed suit starting in early March after the vulnerability and patch were publicized.
Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated. This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).
So, what does this mean? Well, it means a few things. First of all, it appears Microsoft was unable to mitigate the problem on its own. The threat that remained was due to end users either uninformed or unwilling to take steps to prevent further infection or damage.
Then there's the how. And that has to do with the FBI's expanded powers under Rule 41(b). Prior to 2016, jurisdictional limits were placed on warrants and searches. If the government wanted to search/seize, it had to request a warrant in the jurisdiction where the search/seizure would take place. The government found this too limiting. The jurisdictional limits were causing it trouble in court. Its investigations of dark web child porn servers led to use of network investigative technique -- a search of computers connecting to servers that resulted in the deployment of malware to collect identifying info. Legal challenges were raised under Rule 41, which required warrants to be executed within the court's jurisdiction. The NITs deployed by the FBI were distributed to computers all over the world.
The jurisdictional limits are gone. The FBI's warrant [PDF] says that Rule 41(b) now allows it to travel far outside the Southern District of Texas, where the warrant request was made. No one can say for sure how far the FBI's web shell-targeting efforts traveled. Not even the FBI:
The presumptively U.S.-based Microsoft Exchange Servers, corresponding to the approximately web shells in Attachment A appear to be located in five or more judicial districts, according to publicly available Whois records and IP address geolocation. These districts include, but are not limited to, the following: Southern District of Texas, District of Massachusetts, Northern District of Illinois, Southern District of Ohio, District of Idaho, Western District of Louisiana, Northern District of Iowa and Northern District of Georgia.
There's the presumption. All servers might all be in the US. Then again, they may not. But no one knows for sure until after the warrant is executed and all the data is in.
No one targeted by the Rule 41 warrant is suspected of committing crimes. Instead, they've done nothing more than run unpatched software that presents a security risk to them and anyone else they come in contact with. The FBI has decided it's up to the government to come to the rescue of computer users around the US (and perhaps around the world) to prevent further malicious hacking by suspected Chinese state operatives.
So, where does this leave computer users who'd rather not have the government meddle with their unpatched software? On the outside and in the minority, it would appear. The FBI was able to deactivate backdoors in several targets but estimates "hundreds" of servers remain vulnerable because the FBI's hacking tool was unable to find and eliminate the threat under the confines of the court order it obtained.
Now that the court order has been unsealed, the FBI is reaching out to those whose computers the agency briefly accessed. And it definitely should. Not just because of the unexpected intrusion, but because the FBI could only do so much with its webshell-hunting software.
The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.
There it is. The attempt to neutralize a threat only neutralized some of it. But the FBI had permission to neutralize whatever it encountered that met its definition of a threat, no matter where the target was located. This is the FBI using its powers for good, which makes this effort pretty benign. But the FBI's definition of "good" is, at some point, going to cause considerable collateral damage because Rule 41(b) no longer limits it to a single jurisdiction. This was a search, as the FBI freely admits. That it was strictly limited in this case speaks more to the operational aspects of the job, rather than the FBI's better judgment. We can only hope in the future -- as the FBI flexes its jurisdictional free pass -- that the agency shows as much restraint in the future when there's more than some unpatched computers at stake.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, doj, fbi, microsoft exchange, patch, rule 41
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Just how did do a download all to test for the web shell presence?
Also, why not notify people of the presence of the web shell, so a permanent fix could be applied, rather than a temporary removal?
[ link to this | view in chronology ]
Re:
Because the FBI is about headlines & soundbites.
They got a crack in the law, FOR THE CHILDREN!!!, & they needed to drive in a wedge to make sure the crack stayed open.
Who cares if they didn't manage to stop it, they can report about all of these shells they shutdown... ignoring that the owners of the servers are in exactly the same position as before. Vulnerable & if they look to see if they'd been hit... the evidence is gone so they can assume they are fine.
[ link to this | view in chronology ]
Re:
The people running those servers were notified, repeatedly. They took no action to apply the permanent fixes that were available. Their compromised machines pose a security risk not just to the owners but to everybody else on the Internet. If nothing else they permit the criminals behind the infections to download any and all personal information that may be accessible from those machines and use those machines to attack others.
If the FBI's going to abuse it's authority, this is the way I'd prefer them to abuse it.
[ link to this | view in chronology ]
Re: Re:
Except that they only removes the web shell, and did nothing to stop it being promptly re-installed. Also, given the level of access available via the web shell, what are the chances they had a look around before removing it?
[ link to this | view in chronology ]
Re: Re: Re:
They could have just given the FBI version of the exploit to MS, who probably could have also forcibly patched the vulnerability(ies).
[ link to this | view in chronology ]
Re: Re: Re: Re:
A prolonged, unscheduled, server shutdown due Microsoft updates could upset the companies using Microsoft, and cost them money.
[ link to this | view in chronology ]
Re: Re:
Yes, but the ``notification'' consisted of a MS windows logo shown at boot time. That warning is pretty general and could not be said to give specific warning of the problem at hand.
[ link to this | view in chronology ]
"Whois records and IP address geolocation"
Because there is NOTHING more accurate than these things.
Did you see where my eyes went? They rolled way the fsck out of my head.
Same braintrust that held a family at gunpoint as pedophiles b/c no one bothered to see if the router was open or not.
This is a nice photo op for the FBI standing in front of the flag, looking all official, with a Mission Accomplished banner...
Sadly no one remembers what happened the last time we saw this photo op.
[ link to this | view in chronology ]
Hmmmm....since I'm running Linux does this mean I have to look forward to the FBI wiping my operating system and replacing it with something that they can remotely access with a Rule 41 warrant?
Totally wouldn't surprise me if the next going dark argument from the FBI is non-windows operating systems are a haven for hackers and child porn producers.
[ link to this | view in chronology ]
Non-windows operating systems
My latest upgrade featured a copy of Windows 10, which I've been trying to keep from tracking all my movements and reporting back to Big Microsoft. It's an ongoing fight.
But delving deeper into the OS, it's actually harder to tweak the system than Win7. I'm spending a lot of time in Regedit.
I'm trying to understand why businesses are sticking to Windows unless its sheer habit, especially since all the new flashy features mean reporting keylogs to Microsoft (who is, like Amazon, rather chummy with law enforcement). If I was, say, a general contractor, I wouldn't want them looking at my data for leverage.
[ link to this | view in chronology ]
Re: Non-windows operating systems
"I'm trying to understand why businesses are sticking to Windows unless its sheer habit"
Cost and convenience. You get windows. Then you get office365, because it's what everyone uses. Now you have a tech support subscription for MS services and the lock-in is complete.
A smaller business can turn on a dime and replace this all with Linux, probably...but the bigger ones, with tens of thousands of employees worldwide and several dozen interlinked business units? They'll stick to MS like glue until they feel the cost and inconvenience of migrating from that platform gets worse than staying on it.
"If I was, say, a general contractor, I wouldn't want them looking at my data for leverage."
This is what NDA's are for. :)
[ link to this | view in chronology ]
Re: Re: Non-windows operating systems
"Cost and convenience. You get windows. Then you get office365, because it's what everyone uses."
Actually, Office has been the killer app for Windows for a long time (along with gaming, although that's not required for business contexts).
Because most office workers have trained with Microsoft Office, many refuse to use anything else, or find it so difficult that they need to be retrained. I worked in a company a while ago where OpenOffice was deployed for massive savings, and it did everything that the staff actually needed to do. But, there was such a revolt against it for just looking a bit different that management just paid for a new version of MS Office to appease them.
This may be changing as people get more used to alternative interfaces like Google Docs, and server applications are a different story. But, the average worker drone? They'll demand Windows, and that includes the beancounters, so they'll let that slide while demanding cuts to necessary services on the backend...
[ link to this | view in chronology ]
innocuous leader
'cause yet again locked down: TD can't tell spam from dissent!
[ link to this | view in chronology ]
Re: innocuous leader
"I keep spamming comments and getting blocked for spam, it's a conspiracy!"
[ link to this | view in chronology ]
Re: innocuous leader
[Asserts facts not in evidence]
[ link to this | view in chronology ]
yes, one-liners get in
that's TD's level of discussion
[ link to this | view in chronology ]
try this w new subject line
It's Monday. What can we advocate that's outrageous?
Oh, I know: defend MALWARE! -- AND for kicker, AGAIN object that knowing downloaders of child porn were caught and jailed!
[ link to this | view in chronology ]
Re: try this w new subject line
Rule 41 objections were DULY ADJUDICATED several times at Appeals level, found by every one to be MERE technical point in NO way requiring suppressing evidence of downloading child porn. -- Techdirt continues to protest this due justice, though, because favors child pornography. No other conclusion can be drawn. -- That rule clarification has not and will not affect anyone not requiring to suppress clear evidence to escape justice.
[ link to this | view in chronology ]
Re: try this w new subject line
You cannot logically require gov't to get a warrant for every jurisdiction when the actual physical location is unknown. This is the era of teh internets, kids. You are not "safe" to download child porn (or stolen content, Techdirt's real goal) behind an insane legalism that puts impossible burdens on gov't.
[ link to this | view in chronology ]
Re: try this w new subject line
Sum of your view: "Oh, sure, just because good results here doesn't mean that knowing downloaders of child porn shouldn't be let go."
YET AGAIN, the mysterious "spam filter" blocks me for a while, then after AC one-liners breaks through, lets ALL of the original text go in!
Does rob me of screen name, though:
NAME:WRECK
[ link to this | view in chronology ]
Re: Re:
There once was an out of the blue
Who hated the process of due
Each post that he'd made
Was DMCAed
And shoved up his ass with a screw
[ link to this | view in chronology ]
Read the details carefully and see if you can figure out how they obtained the passwords to these systems or got past the firewalls...
[ link to this | view in chronology ]
Re:
Well the servers were already compromised...
And remained in that state.
[ link to this | view in chronology ]
Re: Re:
The FBI doesn't view them as compromised...to them the servers are not warrant proof.
[ link to this | view in chronology ]
Re:
Sounds like they used the exact same open web shell left behind by the hackers in the original wave. The article stats that this was used to clean up the shells left by the first hacks. Most likely the method used (and user/password used by the hackers) was known, so the FBI used the same entry point used by them. Then, while in with the same permissions, deleted the web shell itself as they left.
If I was a white hat hacker doing this kind of thing, it's what I'd do. Get in using the existing exploit (partly to prove that it is still a vulnerability) and remove it as you leave.
[ link to this | view in chronology ]
The only surprise here is that they went and got a court order. I wonder if they did that before accessing the servers.
[ link to this | view in chronology ]
How this is likely to play out
1) FBI uses wide warrants for "good".
2) FBI starts testing the limits of these wide-area warrants.
3) Federal courts start pushing back. (one can only hope...)
4) FBI goes to FISA court or other mechanism with insufficient oversight.
[ link to this | view in chronology ]
Right......
And I'm sure they will only use that power for good...... keep believeing that.
All the more reason to be using something like Linux, and know how to secure and harden it.
[ link to this | view in chronology ]
I find your lack of security... disturbing.
Sure, Linux can be more secure. It is not, however, a "secure it and done" thing. You are not excused from regularly updating it and new bugs are found.
You are also vulnerable to repository poisoning, and your web servers are not greatly less vulnerable on linux than they are on Windows or other operating systems given the common libraries and products used.
[ link to this | view in chronology ]
Re: I find your lack of security... disturbing.
Yeah, the "secure and hardening" part of the comment is important to realise. Traditionally, Linux has been way more secure because of the way it's designed and operated by default and because a Linux admin is generally more aware of and concerned with security in general. This has changed somewhat in recent years with Windows being way more secure out of the box than it used to be, but there's no replacement for due diligence and competent security administration. People shouldn't get complacent just because they don't run Windows.
[ link to this | view in chronology ]
So combine Rule 41 with Rule 34, and Oh, Baby!
[ link to this | view in chronology ]
Re:
FBI: You know, we are supposed to investigate forced penetration when it crosses state lines......
[ link to this | view in chronology ]
Nothing I read in this article is "good" or "benign."
Unless these were government computers, the FBI doesn't belong there.
[ link to this | view in chronology ]
Re:
"Nothing I read in this article is "good" or "benign.""
What, you mean you'd object if law enforcement secretly invaded your home, riffled through your family's private drawers, then made sure to lock the door securely on their way out? What sort of conspiracy nut are you?
/s in case there was need.
[ link to this | view in chronology ]
Do as we say
This is so typical. Three-letter agency accuses $foreign_competitor of large-scale asset occupation; proceeds days later to do the same. Proof of the supposed original action is never found, but the magnitude of the "reaction" is such that it can't even be hidden.
[ link to this | view in chronology ]
A step, but not much of one
It's a step up from the time the FBI spent weeks acting as the largest provider of child pornography on earth, I guess. But not much of one.
[ link to this | view in chronology ]
If you have a good firewall, you can prevent such access.
When I had had my online radio station, the only ports allowed on the server were 80,443 and the ports for the radio streams. Any such attempt to access my system would have failed.
Doing that would certainly have not broken any laws.
[ link to this | view in chronology ]
'We pinky-promise we'll be responsible this time.'
Given this is the same agency that ran a massive CSAM platform for two weeks and used a technique to try to identify users that violated the law so they were scrambling to get the law changed, even if this was a responsible use of their 'one warrant for everything' power I absolutely do not trust them to stay responsible, and fully expect that it will be a matter of when, not if, they abuse this one to do something they shouldn't.
[ link to this | view in chronology ]
Hopefully all US servers
This is hacking pure and simple. Only difference is that these are the good guys (relative to a sliding scale of good or bad that bears no relation to reality and determined by the TLA of your choice). Hopefully this was all USA servers and not owned by countries like Russia. I’m guessing that qualified immunity/TLA will apply cos “good guys US of A” and “think of the children”.
[ link to this | view in chronology ]
I just looked, W10 is still there
Exchange servers are commonly considered their worst product, but leaving them open gave them what, 10 to 20 seconds before they were reinfected again?
[ link to this | view in chronology ]
FBI - No problem, we fix
They have been practicing:
https://www.techdirt.com/articles/20170411/09411837126/fbi-tries-new-rule-41-changes-siz e-fight-against-long-running-botnet.shtml
See, no problem.
[ link to this | view in chronology ]
I absolutely trust the FBI and/or any other government agency to break into systems for our own protection, even though they've shown no proof that everything they broke into were unpatched servers. They can't won't because that would expose "sources and "methods". This is just getting us used to more pervasive and invasive surveillance.
[ link to this | view in chronology ]
Trying to find a metaphor...
We noticed you had a front door handle that was prone to slipping, so we tighten it a bit while you weren't home... but in a couple days it'll be slipping again but hey we only tightened it we didn;t make sure it was locked.
[ link to this | view in chronology ]