The FBI made an unprecedented move in a sweeping cleanse of the MS Exchange hack. While seemingly a smart move, it opens the doors for privacy questions.
Last month, Microsoft Exchange Servers were hacked. A new China state-sponsored hacking group, Hafnium, appears to be the culprit of this hack, which targeted servers run from company networks. When they chained four vulnerabilities together, it allowed the hackers to break into a server and steal its contents. A patch was released, but the patch didn’t close the backdoors created in servers which were already breached. So even if the patch was applied, those backdoors would still allow a hacker to enter. Within days, even more hackers joined in attacking the vulnerable servers to deploy ransomware. But, don’t worry, the FBI has us covered. In an unprecedented move, the FBI secretly, but legally, accessed these private servers to mitigate the problem.
According to Gizmodo, “The FBI targeted this unique digital clean-up at servers running the vulnerability-ridden email product Microsoft Exchange. The U.S. Justice Department said Tuesday that the purpose of the bureau’s operation was to digitally erase traces of web shells that, had they remained, “could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.””
The amount of infected servers dropped as businesses applied the patch provided by Microsoft, but many of them still remained at-risk because backdoors are difficult to find and eliminate.
“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks,” the statement said. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”
While initially one might think that this is a great move, there are many questions surrounding how this unfolded. In this instance, it’s likely the FBI did the right thing. They didn’t access any information, they simply patched the problem and removed access points. We already know this was a nation state attack, which means the purpose is intelligence gathering. Leaving those backdoors open, or allowing them to stay open because a business owner doesn’t have the resources to fix it, is a bad idea. Still, there are a lot of privacy questions to consider. Especially since most of the companies whose servers were infected aren’t even aware that the FBI did anything.
That’s the biggest kicker really. A Houston court ruled that the FBI could do this, and at the time of this writing, the FBI was still working on contacting the owners of the impacted servers. That they did this with full legal authority is somewhat questionable. Again, in this case, it’s better than doing nothing. But, at the end of the day, do we really want the authorities to have this kind of power? If this is okay, then where is the line?
The thing is, privacy matters. In the U.S. especially, where people are more concerned than ever with what businesses are doing with their information.
It’s so important for businesses to conduct regular security and compliance reviews. Especially if the government is going to continue to access servers without our knowledge or consent. It is the responsibility of the business to maintain the security of its equipment, so if it is discovered that the FBI was in your servers, it’s probably a good idea to do a review. Bring in an expert to do it, it ensures that business continues as usual while maintaining the safety and integrity of your data.