FBI Flexes Rule 41 Powers, Uses Remote Access Technique To Neutralize Compromised Software All Over The US
from the computers-on-blast dept
Great news, everyone! The FBI has been fighting a cyberwar on your behalf… perhaps utilizing your own computer. Here’s Zack Whittaker with some details:
A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.
The Justice Department announced the operation on Tuesday, which it described as “successful.”
Hundreds of computers have been accessed by the FBI under the theory that these beneficiaries of government tech largesse won’t complain too much about the FBI’s (however brief) intrusion. This is the DOJ’s official coat of gloss:
Authorities have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service.
Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place web shells for continued access. Web shells are pieces of code or scripts that enable remote administration. Other hacking groups followed suit starting in early March after the vulnerability and patch were publicized.
Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated. This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).
So, what does this mean? Well, it means a few things. First of all, it appears Microsoft was unable to mitigate the problem on its own. The threat that remained was due to end users either uninformed or unwilling to take steps to prevent further infection or damage.
Then there’s the how. And that has to do with the FBI’s expanded powers under Rule 41(b). Prior to 2016, jurisdictional limits were placed on warrants and searches. If the government wanted to search/seize, it had to request a warrant in the jurisdiction where the search/seizure would take place. The government found this too limiting. The jurisdictional limits were causing it trouble in court. Its investigations of dark web child porn servers led to use of network investigative technique — a search of computers connecting to servers that resulted in the deployment of malware to collect identifying info. Legal challenges were raised under Rule 41, which required warrants to be executed within the court’s jurisdiction. The NITs deployed by the FBI were distributed to computers all over the world.
The jurisdictional limits are gone. The FBI’s warrant [PDF] says that Rule 41(b) now allows it to travel far outside the Southern District of Texas, where the warrant request was made. No one can say for sure how far the FBI’s web shell-targeting efforts traveled. Not even the FBI:
The presumptively U.S.-based Microsoft Exchange Servers, corresponding to the approximately web shells in Attachment A appear to be located in five or more judicial districts, according to publicly available Whois records and IP address geolocation. These districts include, but are not limited to, the following: Southern District of Texas, District of Massachusetts, Northern District of Illinois, Southern District of Ohio, District of Idaho, Western District of Louisiana, Northern District of Iowa and Northern District of Georgia.
There’s the presumption. All servers might all be in the US. Then again, they may not. But no one knows for sure until after the warrant is executed and all the data is in.
No one targeted by the Rule 41 warrant is suspected of committing crimes. Instead, they’ve done nothing more than run unpatched software that presents a security risk to them and anyone else they come in contact with. The FBI has decided it’s up to the government to come to the rescue of computer users around the US (and perhaps around the world) to prevent further malicious hacking by suspected Chinese state operatives.
So, where does this leave computer users who’d rather not have the government meddle with their unpatched software? On the outside and in the minority, it would appear. The FBI was able to deactivate backdoors in several targets but estimates “hundreds” of servers remain vulnerable because the FBI’s hacking tool was unable to find and eliminate the threat under the confines of the court order it obtained.
Now that the court order has been unsealed, the FBI is reaching out to those whose computers the agency briefly accessed. And it definitely should. Not just because of the unexpected intrusion, but because the FBI could only do so much with its webshell-hunting software.
The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.
There it is. The attempt to neutralize a threat only neutralized some of it. But the FBI had permission to neutralize whatever it encountered that met its definition of a threat, no matter where the target was located. This is the FBI using its powers for good, which makes this effort pretty benign. But the FBI’s definition of “good” is, at some point, going to cause considerable collateral damage because Rule 41(b) no longer limits it to a single jurisdiction. This was a search, as the FBI freely admits. That it was strictly limited in this case speaks more to the operational aspects of the job, rather than the FBI’s better judgment. We can only hope in the future — as the FBI flexes its jurisdictional free pass — that the agency shows as much restraint in the future when there’s more than some unpatched computers at stake.