FBI Flexes Rule 41 Powers, Uses Remote Access Technique To Neutralize Compromised Software All Over The US

Great news, everyone! The FBI has been fighting a cyberwar on your behalf… perhaps utilizing your own computer. Here's Zack Whittaker with some details:

A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.

The Justice Department announced the operation on Tuesday, which it described as “successful.”

Hundreds of computers have been accessed by the FBI under the theory that these beneficiaries of government tech largesse won't complain too much about the FBI's (however brief) intrusion. This is the DOJ's official coat of gloss:

Authorities have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service.

Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place web shells for continued access. Web shells are pieces of code or scripts that enable remote administration. Other hacking groups followed suit starting in early March after the vulnerability and patch were publicized.

Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated. This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).

So, what does this mean? Well, it means a few things. First of all, it appears Microsoft was unable to mitigate the problem on its own. The threat that remained was due to end users either uninformed or unwilling to take steps to prevent further infection or damage.

Then there's the how. And that has to do with the FBI's expanded powers under Rule 41(b). Prior to 2016, jurisdictional limits were placed on warrants and searches. If the government wanted to search/seize, it had to request a warrant in the jurisdiction where the search/seizure would take place. The government found this too limiting. The jurisdictional limits were causing it trouble in court. Its investigations of dark web child porn servers led to use of network investigative technique -- a search of computers connecting to servers that resulted in the deployment of malware to collect identifying info. Legal challenges were raised under Rule 41, which required warrants to be executed within the court's jurisdiction. The NITs deployed by the FBI were distributed to computers all over the world.

The jurisdictional limits are gone. The FBI's warrant [PDF] says that Rule 41(b) now allows it to travel far outside the Southern District of Texas, where the warrant request was made. No one can say for sure how far the FBI's web shell-targeting efforts traveled. Not even the FBI:

The presumptively U.S.-based Microsoft Exchange Servers, corresponding to the approximately web shells in Attachment A appear to be located in five or more judicial districts, according to publicly available Whois records and IP address geolocation. These districts include, but are not limited to, the following: Southern District of Texas, District of Massachusetts, Northern District of Illinois, Southern District of Ohio, District o