FBI Flexes Rule 41 Powers, Uses Remote Access Technique To Neutralize Compromised Software All Over The US

from the computers-on-blast dept

Great news, everyone! The FBI has been fighting a cyberwar on your behalf… perhaps utilizing your own computer. Here’s Zack Whittaker with some details:

A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.

The Justice Department announced the operation on Tuesday, which it described as “successful.”

Hundreds of computers have been accessed by the FBI under the theory that these beneficiaries of government tech largesse won’t complain too much about the FBI’s (however brief) intrusion. This is the DOJ’s official coat of gloss:

Authorities have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service.

Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place web shells for continued access. Web shells are pieces of code or scripts that enable remote administration. Other hacking groups followed suit starting in early March after the vulnerability and patch were publicized.

Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated. This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).

So, what does this mean? Well, it means a few things. First of all, it appears Microsoft was unable to mitigate the problem on its own. The threat that remained was due to end users either uninformed or unwilling to take steps to prevent further infection or damage.

Then there’s the how. And that has to do with the FBI’s expanded powers under Rule 41(b). Prior to 2016, jurisdictional limits were placed on warrants and searches. If the government wanted to search/seize, it had to request a warrant in the jurisdiction where the search/seizure would take place. The government found this too limiting. The jurisdictional limits were causing it trouble in court. Its investigations of dark web child porn servers led to use of network investigative technique — a search of computers connecting to servers that resulted in the deployment of malware to collect identifying info. Legal challenges were raised under Rule 41, which required warrants to be executed within the court’s jurisdiction. The NITs deployed by the FBI were distributed to computers all over the world.

The jurisdictional limits are gone. The FBI’s warrant [PDF] says that Rule 41(b) now allows it to travel far outside the Southern District of Texas, where the warrant request was made. No one can say for sure how far the FBI’s web shell-targeting efforts traveled. Not even the FBI:

The presumptively U.S.-based Microsoft Exchange Servers, corresponding to the approximately web shells in Attachment A appear to be located in five or more judicial districts, according to publicly available Whois records and IP address geolocation. These districts include, but are not limited to, the following: Southern District of Texas, District of Massachusetts, Northern District of Illinois, Southern District of Ohio, District of Idaho, Western District of Louisiana, Northern District of Iowa and Northern District of Georgia.

There’s the presumption. All servers might all be in the US. Then again, they may not. But no one knows for sure until after the warrant is executed and all the data is in.

No one targeted by the Rule 41 warrant is suspected of committing crimes. Instead, they’ve done nothing more than run unpatched software that presents a security risk to them and anyone else they come in contact with. The FBI has decided it’s up to the government to come to the rescue of computer users around the US (and perhaps around the world) to prevent further malicious hacking by suspected Chinese state operatives.

So, where does this leave computer users who’d rather not have the government meddle with their unpatched software? On the outside and in the minority, it would appear. The FBI was able to deactivate backdoors in several targets but estimates “hundreds” of servers remain vulnerable because the FBI’s hacking tool was unable to find and eliminate the threat under the confines of the court order it obtained.

Now that the court order has been unsealed, the FBI is reaching out to those whose computers the agency briefly accessed. And it definitely should. Not just because of the unexpected intrusion, but because the FBI could only do so much with its webshell-hunting software.

The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.

There it is. The attempt to neutralize a threat only neutralized some of it. But the FBI had permission to neutralize whatever it encountered that met its definition of a threat, no matter where the target was located. This is the FBI using its powers for good, which makes this effort pretty benign. But the FBI’s definition of “good” is, at some point, going to cause considerable collateral damage because Rule 41(b) no longer limits it to a single jurisdiction. This was a search, as the FBI freely admits. That it was strictly limited in this case speaks more to the operational aspects of the job, rather than the FBI’s better judgment. We can only hope in the future — as the FBI flexes its jurisdictional free pass — that the agency shows as much restraint in the future when there’s more than some unpatched computers at stake.

Filed Under: , , , , ,
Companies: microsoft

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI Flexes Rule 41 Powers, Uses Remote Access Technique To Neutralize Compromised Software All Over The US”

Subscribe: RSS Leave a comment
43 Comments
This comment has been deemed insightful by the community.
That Anonymous Coward (profile) says:

Re: Re:

Because the FBI is about headlines & soundbites.

They got a crack in the law, FOR THE CHILDREN!!!, & they needed to drive in a wedge to make sure the crack stayed open.

Who cares if they didn’t manage to stop it, they can report about all of these shells they shutdown… ignoring that the owners of the servers are in exactly the same position as before. Vulnerable & if they look to see if they’d been hit… the evidence is gone so they can assume they are fine.

TKnarr (profile) says:

Re: Re:

The people running those servers were notified, repeatedly. They took no action to apply the permanent fixes that were available. Their compromised machines pose a security risk not just to the owners but to everybody else on the Internet. If nothing else they permit the criminals behind the infections to download any and all personal information that may be accessible from those machines and use those machines to attack others.

If the FBI’s going to abuse it’s authority, this is the way I’d prefer them to abuse it.

This comment has been deemed insightful by the community.
That Anonymous Coward (profile) says:

"Whois records and IP address geolocation"

Because there is NOTHING more accurate than these things.

Did you see where my eyes went? They rolled way the fsck out of my head.

Same braintrust that held a family at gunpoint as pedophiles b/c no one bothered to see if the router was open or not.

This is a nice photo op for the FBI standing in front of the flag, looking all official, with a Mission Accomplished banner…

Sadly no one remembers what happened the last time we saw this photo op.

This comment has been deemed insightful by the community.
Norahc (profile) says:

Hmmmm….since I’m running Linux does this mean I have to look forward to the FBI wiping my operating system and replacing it with something that they can remotely access with a Rule 41 warrant?

Totally wouldn’t surprise me if the next going dark argument from the FBI is non-windows operating systems are a haven for hackers and child porn producers.

Uriel-238 (profile) says:

Re: Non-windows operating systems

My latest upgrade featured a copy of Windows 10, which I’ve been trying to keep from tracking all my movements and reporting back to Big Microsoft. It’s an ongoing fight.

But delving deeper into the OS, it’s actually harder to tweak the system than Win7. I’m spending a lot of time in Regedit.

I’m trying to understand why businesses are sticking to Windows unless its sheer habit, especially since all the new flashy features mean reporting keylogs to Microsoft (who is, like Amazon, rather chummy with law enforcement). If I was, say, a general contractor, I wouldn’t want them looking at my data for leverage.

Scary Devil Monastery (profile) says:

Re: Re: Non-windows operating systems

"I’m trying to understand why businesses are sticking to Windows unless its sheer habit"

Cost and convenience. You get windows. Then you get office365, because it’s what everyone uses. Now you have a tech support subscription for MS services and the lock-in is complete.

A smaller business can turn on a dime and replace this all with Linux, probably…but the bigger ones, with tens of thousands of employees worldwide and several dozen interlinked business units? They’ll stick to MS like glue until they feel the cost and inconvenience of migrating from that platform gets worse than staying on it.

"If I was, say, a general contractor, I wouldn’t want them looking at my data for leverage."

This is what NDA’s are for. 🙂

PaulT (profile) says:

Re: Re: Re: Non-windows operating systems

"Cost and convenience. You get windows. Then you get office365, because it’s what everyone uses."

Actually, Office has been the killer app for Windows for a long time (along with gaming, although that’s not required for business contexts).

Because most office workers have trained with Microsoft Office, many refuse to use anything else, or find it so difficult that they need to be retrained. I worked in a company a while ago where OpenOffice was deployed for massive savings, and it did everything that the staff actually needed to do. But, there was such a revolt against it for just looking a bit different that management just paid for a new version of MS Office to appease them.

This may be changing as people get more used to alternative interfaces like Google Docs, and server applications are a different story. But, the average worker drone? They’ll demand Windows, and that includes the beancounters, so they’ll let that slide while demanding cuts to necessary services on the backend…

This comment has been flagged by the community. Click here to show it.

This comment has been flagged by the community. Click here to show it.

This comment has been flagged by the community. Click here to show it.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Re: try this w new subject line

Legal challenges were raised under Rule 41, which required warrants to be executed within the court’s jurisdiction.

Rule 41 objections were DULY ADJUDICATED several times at Appeals level, found by every one to be MERE technical point in NO way requiring suppressing evidence of downloading child porn. — Techdirt continues to protest this due justice, though, because favors child pornography. No other conclusion can be drawn. — That rule clarification has not and will not affect anyone not requiring to suppress clear evidence to escape justice.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Re: try this w new subject line

The jurisdictional limits are gone.

You cannot logically require gov’t to get a warrant for every jurisdiction when the actual physical location is unknown. This is the era of teh internets, kids. You are not "safe" to download child porn (or stolen content, Techdirt’s real goal) behind an insane legalism that puts impossible burdens on gov’t.

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

Re: try this w new subject line

Sum of your view: "Oh, sure, just because good results here doesn’t mean that knowing downloaders of child porn shouldn’t be let go."


YET AGAIN, the mysterious "spam filter" blocks me for a while, then after AC one-liners breaks through, lets ALL of the original text go in!

Does rob me of screen name, though:

NAME:WRECK

This comment has been deemed insightful by the community.
Nick-B says:

Re: Re:

Sounds like they used the exact same open web shell left behind by the hackers in the original wave. The article stats that this was used to clean up the shells left by the first hacks. Most likely the method used (and user/password used by the hackers) was known, so the FBI used the same entry point used by them. Then, while in with the same permissions, deleted the web shell itself as they left.

If I was a white hat hacker doing this kind of thing, it’s what I’d do. Get in using the existing exploit (partly to prove that it is still a vulnerability) and remove it as you leave.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: I find your lack of security... disturbing.

Sure, Linux can be more secure. It is not, however, a "secure it and done" thing. You are not excused from regularly updating it and new bugs are found.

You are also vulnerable to repository poisoning, and your web servers are not greatly less vulnerable on linux than they are on Windows or other operating systems given the common libraries and products used.

PaulT (profile) says:

Re: Re: I find your lack of security... disturbing.

Yeah, the "secure and hardening" part of the comment is important to realise. Traditionally, Linux has been way more secure because of the way it’s designed and operated by default and because a Linux admin is generally more aware of and concerned with security in general. This has changed somewhat in recent years with Windows being way more secure out of the box than it used to be, but there’s no replacement for due diligence and competent security administration. People shouldn’t get complacent just because they don’t run Windows.

This comment has been deemed insightful by the community.
That One Guy (profile) says:

'We pinky-promise we'll be responsible this time.'

Given this is the same agency that ran a massive CSAM platform for two weeks and used a technique to try to identify users that violated the law so they were scrambling to get the law changed, even if this was a responsible use of their ‘one warrant for everything’ power I absolutely do not trust them to stay responsible, and fully expect that it will be a matter of when, not if, they abuse this one to do something they shouldn’t.

Anonymous Coward says:

Hopefully all US servers

This is hacking pure and simple. Only difference is that these are the good guys (relative to a sliding scale of good or bad that bears no relation to reality and determined by the TLA of your choice). Hopefully this was all USA servers and not owned by countries like Russia. I’m guessing that qualified immunity/TLA will apply cos “good guys US of A” and “think of the children”.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...