FBI Flexes Rule 41 Powers, Uses Remote Access Technique To Neutralize Compromised Software All Over The US

from the computers-on-blast dept

Great news, everyone! The FBI has been fighting a cyberwar on your behalf… perhaps utilizing your own computer. Here's Zack Whittaker with some details:

A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.

The Justice Department announced the operation on Tuesday, which it described as “successful.”

Hundreds of computers have been accessed by the FBI under the theory that these beneficiaries of government tech largesse won't complain too much about the FBI's (however brief) intrusion. This is the DOJ's official coat of gloss:

Authorities have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service.

Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place web shells for continued access. Web shells are pieces of code or scripts that enable remote administration. Other hacking groups followed suit starting in early March after the vulnerability and patch were publicized.

Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated. This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).

So, what does this mean? Well, it means a few things. First of all, it appears Microsoft was unable to mitigate the problem on its own. The threat that remained was due to end users either uninformed or unwilling to take steps to prevent further infection or damage.

Then there's the how. And that has to do with the FBI's expanded powers under Rule 41(b). Prior to 2016, jurisdictional limits were placed on warrants and searches. If the government wanted to search/seize, it had to request a warrant in the jurisdiction where the search/seizure would take place. The government found this too limiting. The jurisdictional limits were causing it trouble in court. Its investigations of dark web child porn servers led to use of network investigative technique -- a search of computers connecting to servers that resulted in the deployment of malware to collect identifying info. Legal challenges were raised under Rule 41, which required warrants to be executed within the court's jurisdiction. The NITs deployed by the FBI were distributed to computers all over the world.

The jurisdictional limits are gone. The FBI's warrant [PDF] says that Rule 41(b) now allows it to travel far outside the Southern District of Texas, where the warrant request was made. No one can say for sure how far the FBI's web shell-targeting efforts traveled. Not even the FBI:

The presumptively U.S.-based Microsoft Exchange Servers, corresponding to the approximately web shells in Attachment A appear to be located in five or more judicial districts, according to publicly available Whois records and IP address geolocation. These districts include, but are not limited to, the following: Southern District of Texas, District of Massachusetts, Northern District of Illinois, Southern District of Ohio, District of Idaho, Western District of Louisiana, Northern District of Iowa and Northern District of Georgia.

There's the presumption. All servers might all be in the US. Then again, they may not. But no one knows for sure until after the warrant is executed and all the data is in.

No one targeted by the Rule 41 warrant is suspected of committing crimes. Instead, they've done nothing more than run unpatched software that presents a security risk to them and anyone else they come in contact with. The FBI has decided it's up to the government to come to the rescue of computer users around the US (and perhaps around the world) to prevent further malicious hacking by suspected Chinese state operatives.

So, where does this leave computer users who'd rather not have the government meddle with their unpatched software? On the outside and in the minority, it would appear. The FBI was able to deactivate backdoors in several targets but estimates "hundreds" of servers remain vulnerable because the FBI's hacking tool was unable to find and eliminate the threat under the confines of the court order it obtained.

Now that the court order has been unsealed, the FBI is reaching out to those whose computers the agency briefly accessed. And it definitely should. Not just because of the unexpected intrusion, but because the FBI could only do so much with its webshell-hunting software.

The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.

There it is. The attempt to neutralize a threat only neutralized some of it. But the FBI had permission to neutralize whatever it encountered that met its definition of a threat, no matter where the target was located. This is the FBI using its powers for good, which makes this effort pretty benign. But the FBI's definition of "good" is, at some point, going to cause considerable collateral damage because Rule 41(b) no longer limits it to a single jurisdiction. This was a search, as the FBI freely admits. That it was strictly limited in this case speaks more to the operational aspects of the job, rather than the FBI's better judgment. We can only hope in the future -- as the FBI flexes its jurisdictional free pass -- that the agency shows as much restraint in the future when there's more than some unpatched computers at stake.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, doj, fbi, microsoft exchange, patch, rule 41
Companies: microsoft


Reader Comments

Subscribe: RSS

View by: Thread


  • identicon
    Anonymous Coward, 19 Apr 2021 @ 7:12am

    Just how did do a download all to test for the web shell presence?

    Also, why not notify people of the presence of the web shell, so a permanent fix could be applied, rather than a temporary removal?

    reply to this | link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 19 Apr 2021 @ 7:20am

      Re:

      Because the FBI is about headlines & soundbites.

      They got a crack in the law, FOR THE CHILDREN!!!, & they needed to drive in a wedge to make sure the crack stayed open.

      Who cares if they didn't manage to stop it, they can report about all of these shells they shutdown... ignoring that the owners of the servers are in exactly the same position as before. Vulnerable & if they look to see if they'd been hit... the evidence is gone so they can assume they are fine.

      reply to this | link to this | view in chronology ]

    • icon
      TKnarr (profile), 19 Apr 2021 @ 8:55am

      Re:

      The people running those servers were notified, repeatedly. They took no action to apply the permanent fixes that were available. Their compromised machines pose a security risk not just to the owners but to everybody else on the Internet. If nothing else they permit the criminals behind the infections to download any and all personal information that may be accessible from those machines and use those machines to attack others.

      If the FBI's going to abuse it's authority, this is the way I'd prefer them to abuse it.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Apr 2021 @ 9:01am

        Re: Re:

        Except that they only removes the web shell, and did nothing to stop it being promptly re-installed. Also, given the level of access available via the web shell, what are the chances they had a look around before removing it?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Apr 2021 @ 11:04am

          Re: Re: Re:

          They could have just given the FBI version of the exploit to MS, who probably could have also forcibly patched the vulnerability(ies).

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Apr 2021 @ 4:54pm

            Re: Re: Re: Re:

            A prolonged, unscheduled, server shutdown due Microsoft updates could upset the companies using Microsoft, and cost them money.

            reply to this | link to this | view in chronology ]

      • icon
        Tanner Andrews (profile), 22 Apr 2021 @ 6:42am

        Re: Re:

        The people running those servers were notified, repeatedly.

        Yes, but the ``notification'' consisted of a MS windows logo shown at boot time. That warning is pretty general and could not be said to give specific warning of the problem at hand.

        reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 19 Apr 2021 @ 7:25am

    "Whois records and IP address geolocation"

    Because there is NOTHING more accurate than these things.

    Did you see where my eyes went? They rolled way the fsck out of my head.

    Same braintrust that held a family at gunpoint as pedophiles b/c no one bothered to see if the router was open or not.

    This is a nice photo op for the FBI standing in front of the flag, looking all official, with a Mission Accomplished banner...

    Sadly no one remembers what happened the last time we saw this photo op.

    reply to this | link to this | view in chronology ]

  • icon
    Norahc (profile), 19 Apr 2021 @ 7:38am

    Hmmmm....since I'm running Linux does this mean I have to look forward to the FBI wiping my operating system and replacing it with something that they can remotely access with a Rule 41 warrant?

    Totally wouldn't surprise me if the next going dark argument from the FBI is non-windows operating systems are a haven for hackers and child porn producers.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 19 Apr 2021 @ 3:16pm

      Non-windows operating systems

      My latest upgrade featured a copy of Windows 10, which I've been trying to keep from tracking all my movements and reporting back to Big Microsoft. It's an ongoing fight.

      But delving deeper into the OS, it's actually harder to tweak the system than Win7. I'm spending a lot of time in Regedit.

      I'm trying to understand why businesses are sticking to Windows unless its sheer habit, especially since all the new flashy features mean reporting keylogs to Microsoft (who is, like Amazon, rather chummy with law enforcement). If I was, say, a general contractor, I wouldn't want them looking at my data for leverage.

      reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 21 Apr 2021 @ 2:55am

        Re: Non-windows operating systems

        "I'm trying to understand why businesses are sticking to Windows unless its sheer habit"

        Cost and convenience. You get windows. Then you get office365, because it's what everyone uses. Now you have a tech support subscription for MS services and the lock-in is complete.

        A smaller business can turn on a dime and replace this all with Linux, probably...but the bigger ones, with tens of thousands of employees worldwide and several dozen interlinked business units? They'll stick to MS like glue until they feel the cost and inconvenience of migrating from that platform gets worse than staying on it.

        "If I was, say, a general contractor, I wouldn't want them looking at my data for leverage."

        This is what NDA's are for. :)

        reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 21 Apr 2021 @ 5:15am

          Re: Re: Non-windows operating systems

          "Cost and convenience. You get windows. Then you get office365, because it's what everyone uses."

          Actually, Office has been the killer app for Windows for a long time (along with gaming, although that's not required for business contexts).

          Because most office workers have trained with Microsoft Office, many refuse to use anything else, or find it so difficult that they need to be retrained. I worked in a company a while ago where OpenOffice was deployed for massive savings, and it did everything that the staff actually needed to do. But, there was such a revolt against it for just looking a bit different that management just paid for a new version of MS Office to appease them.

          This may be changing as people get more used to alternative interfaces like Google Docs, and server applications are a different story. But, the average worker drone? They'll demand Windows, and that includes the beancounters, so they'll let that slide while demanding cuts to necessary services on the backend...

          reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 19 Apr 2021 @ 7:49am

    innocuous leader

    'cause yet again locked down: TD can't tell spam from dissent!

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 19 Apr 2021 @ 7:51am

    yes, one-liners get in

    that's TD's level of discussion

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 19 Apr 2021 @ 7:52am

    try this w new subject line

    It's Monday. What can we advocate that's outrageous?

    Oh, I know: defend MALWARE! -- AND for kicker, AGAIN object that knowing downloaders of child porn were caught and jailed!

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 19 Apr 2021 @ 7:52am

      Re: try this w new subject line

      Legal challenges were raised under Rule 41, which required warrants to be executed within the court's jurisdiction.

      Rule 41 objections were DULY ADJUDICATED several times at Appeals level, found by every one to be MERE technical point in NO way requiring suppressing evidence of downloading child porn. -- Techdirt continues to protest this due justice, though, because favors child pornography. No other conclusion can be drawn. -- That rule clarification has not and will not affect anyone not requiring to suppress clear evidence to escape justice.

      reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 19 Apr 2021 @ 7:52am

      Re: try this w new subject line

      The jurisdictional limits are gone.

      You cannot logically require gov't to get a warrant for every jurisdiction when the actual physical location is unknown. This is the era of teh internets, kids. You are not "safe" to download child porn (or stolen content, Techdirt's real goal) behind an insane legalism that puts impossible burdens on gov't.

      reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 19 Apr 2021 @ 7:54am

      Re: try this w new subject line

      Sum of your view: "Oh, sure, just because good results here doesn't mean that knowing downloaders of child porn shouldn't be let go."


      YET AGAIN, the mysterious "spam filter" blocks me for a while, then after AC one-liners breaks through, lets ALL of the original text go in!

      Does rob me of screen name, though:

      NAME:WRECK

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Apr 2021 @ 4:24am

        Re: Re:

        There once was an out of the blue
        Who hated the process of due
        Each post that he'd made
        Was DMCAed
        And shoved up his ass with a screw

        reply to this | link to this | view in chronology ]

  • icon
    virusdetected (profile), 19 Apr 2021 @ 8:02am

    Read the details carefully and see if you can figure out how they obtained the passwords to these systems or got past the firewalls...

    reply to this | link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 19 Apr 2021 @ 8:44am

      Re:

      Well the servers were already compromised...
      And remained in that state.

      reply to this | link to this | view in chronology ]

    • identicon
      Nick-B, 19 Apr 2021 @ 10:06am

      Re:

      Sounds like they used the exact same open web shell left behind by the hackers in the original wave. The article stats that this was used to clean up the shells left by the first hacks. Most likely the method used (and user/password used by the hackers) was known, so the FBI used the same entry point used by them. Then, while in with the same permissions, deleted the web shell itself as they left.

      If I was a white hat hacker doing this kind of thing, it's what I'd do. Get in using the existing exploit (partly to prove that it is still a vulnerability) and remove it as you leave.

      reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 19 Apr 2021 @ 8:18am

    The only surprise here is that they went and got a court order. I wonder if they did that before accessing the servers.

    reply to this | link to this | view in chronology ]

  • identicon
    Bruce C., 19 Apr 2021 @ 8:25am

    How this is likely to play out

    1) FBI uses wide warrants for "good".
    2) FBI starts testing the limits of these wide-area warrants.
    3) Federal courts start pushing back. (one can only hope...)
    4) FBI goes to FISA court or other mechanism with insufficient oversight.

    reply to this | link to this | view in chronology ]

  • identicon
    me, 19 Apr 2021 @ 8:41am

    Right......

    And I'm sure they will only use that power for good...... keep believeing that.

    All the more reason to be using something like Linux, and know how to secure and harden it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2021 @ 9:30am

      I find your lack of security... disturbing.

      Sure, Linux can be more secure. It is not, however, a "secure it and done" thing. You are not excused from regularly updating it and new bugs are found.

      You are also vulnerable to repository poisoning, and your web servers are not greatly less vulnerable on linux than they are on Windows or other operating systems given the common libraries and products used.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 20 Apr 2021 @ 12:17am

        Re: I find your lack of security... disturbing.

        Yeah, the "secure and hardening" part of the comment is important to realise. Traditionally, Linux has been way more secure because of the way it's designed and operated by default and because a Linux admin is generally more aware of and concerned with security in general. This has changed somewhat in recent years with Windows being way more secure out of the box than it used to be, but there's no replacement for due diligence and competent security administration. People shouldn't get complacent just because they don't run Windows.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2021 @ 9:24am

    So combine Rule 41 with Rule 34, and Oh, Baby!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2021 @ 5:25pm

      Re:

      So combine Rule 41 with Rule 34, and Oh, Baby!

      FBI: You know, we are supposed to investigate forced penetration when it crosses state lines......

      reply to this | link to this | view in chronology ]

  • icon
    Phoenix84 (profile), 19 Apr 2021 @ 9:36am

    >> This is the FBI using its powers for good, which makes this effort pretty benign.

    Nothing I read in this article is "good" or "benign."

    Unless these were government computers, the FBI doesn't belong there.

    reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 21 Apr 2021 @ 5:28am

      Re:

      "Nothing I read in this article is "good" or "benign.""

      What, you mean you'd object if law enforcement secretly invaded your home, riffled through your family's private drawers, then made sure to lock the door securely on their way out? What sort of conspiracy nut are you?

      /s in case there was need.

      reply to this | link to this | view in chronology ]

  • icon
    Federico (profile), 19 Apr 2021 @ 9:51am

    Do as we say

    This is so typical. Three-letter agency accuses $foreign_competitor of large-scale asset occupation; proceeds days later to do the same. Proof of the supposed original action is never found, but the magnitude of the "reaction" is such that it can't even be hidden.

    reply to this | link to this | view in chronology ]

  • identicon
    Michael, 19 Apr 2021 @ 10:17am

    A step, but not much of one

    It's a step up from the time the FBI spent weeks acting as the largest provider of child pornography on earth, I guess. But not much of one.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2021 @ 10:37am

    If you have a good firewall, you can prevent such access.

    When I had had my online radio station, the only ports allowed on the server were 80,443 and the ports for the radio streams. Any such attempt to access my system would have failed.

    Doing that would certainly have not broken any laws.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 19 Apr 2021 @ 1:16pm

    'We pinky-promise we'll be responsible this time.'

    Given this is the same agency that ran a massive CSAM platform for two weeks and used a technique to try to identify users that violated the law so they were scrambling to get the law changed, even if this was a responsible use of their 'one warrant for everything' power I absolutely do not trust them to stay responsible, and fully expect that it will be a matter of when, not if, they abuse this one to do something they shouldn't.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2021 @ 1:24pm

    Hopefully all US servers

    This is hacking pure and simple. Only difference is that these are the good guys (relative to a sliding scale of good or bad that bears no relation to reality and determined by the TLA of your choice). Hopefully this was all USA servers and not owned by countries like Russia. I’m guessing that qualified immunity/TLA will apply cos “good guys US of A” and “think of the children”.

    reply to this | link to this | view in chronology ]

  • icon
    Darkness Of Course (profile), 19 Apr 2021 @ 2:21pm

    I just looked, W10 is still there

    Exchange servers are commonly considered their worst product, but leaving them open gave them what, 10 to 20 seconds before they were reinfected again?

    reply to this | link to this | view in chronology ]

  • icon
    fairuse (profile), 19 Apr 2021 @ 3:43pm

    FBI - No problem, we fix

    reply to this | link to this | view in chronology ]

  • icon
    crazy_diamond (profile), 19 Apr 2021 @ 5:10pm

    I absolutely trust the FBI and/or any other government agency to break into systems for our own protection, even though they've shown no proof that everything they broke into were unpatched servers. They can't won't because that would expose "sources and "methods". This is just getting us used to more pervasive and invasive surveillance.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 19 Apr 2021 @ 5:21pm

    Trying to find a metaphor...

    We noticed you had a front door handle that was prone to slipping, so we tighten it a bit while you weren't home... but in a couple days it'll be slipping again but hey we only tightened it we didn;t make sure it was locked.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.