Earlier this year, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place malware that provided backdoor access to thousands of compromised servers. Microsoft assessed with high confidence that the vulnerabilities were initially being exploited by a state-sponsored group that Microsoft refers to as HAFNIUM. This week the
The law enforcement operation comes as the
Although this proactive response is welcome and consistent with law enforcement's articulated priorities to proactively take measures to defend American businesses and individuals from foreign cyber intrusions, additional action will need to be taken by private sector organizations to ensure that they have secured their networks-whether the organizations benefited from the operation or not. We provide recommended guidance below, after a brief primer on the HAFNIUM and related hacking activity.
HAFNIUM and Related Hacking Activity
Security researchers determined that HAFNIUM had been exploiting the zero-day vulnerabilities in Microsoft Exchange Server as early as the beginning of
But as Microsoft prepared to issue its patch in late
Ultimately, according to security researchers, HAFNIUM indiscriminately installed web shells on tens of thousands of vulnerable systems-and that number does not include exploits by other hacking groups who raced to exploit the zero-day vulnerabilities after Microsoft's patch release, but before affected entities had time to install the patches. DOJ's court filings estimate that, in total, more than 60,000 Microsoft customers were compromised worldwide in this way.
Although the number of infected systems dropped as patches were applied by the private sector, hundreds of Microsoft Exchange Servers remained vulnerable because these web shells were difficult to find and eliminate. In particular, many of the unpatched remaining victims are believed to be medium and small businesses who were outmatched by the adversary.
A Novel Law Enforcement Response
DOJ, as a result, sought to take proactive action, through legal process, to access and delete web shells deployed by hackers, without impacting other files or services of victim systems. The operation was conducted pursuant to a search and seizure warrant under Federal Rule of Criminal Procedure 41, which authorized the
DOJ has pursued prior operations using its authority under Rule 41, including the takedown of the Russian Gameover Zeus botnet and the North Korean Joanap botnet, but such operations have typically been limited to seizures of command and control infrastructure. This operation reflects a more aggressive approach insofar as it involves access to the systems of compromised victims.
The operation only impacted the malicious web shells installed by unauthorized actors and did not patch any vulnerabilities on those Microsoft Exchange Servers and did not remove any other additional malware. According to the partially unsealed warrant affidavit, the
Takeaways
This operation's novel use of legal process poses a variety of implications to businesses and reinforces the value of maturing organizational approaches to incident response, vulnerability management, and law enforcement cooperation. This is especially true for the hundreds of victims who may receive notice, which the
Although the
Additionally, impacted organizations should investigate-at the direction of counsel if possible-the underlying HAFNIUM activity to determine if any additional malware was deployed, or if any data or other systems have been impacted. Organizations may need to satisfy notification obligations and other regulatory requirements, and further remediation or security hardening may be appropriate as well.
Further, this operation underscores the potential use of legal process as a valuable and creative tool for both law enforcement and private organizations to take action against malicious threat actors. Private sector organizations, using authorities such as the Computer Fraud and Abuse Act (CFAA), contract claims rooted in Terms of Use, or other claims, may look to civil process for their own operations to identify threat actors or compel removal of malware from hosted environments. With law enforcement pushing the envelope with its own proactive court-authorized operations, further precedent in this area supporting court-ordered enforcement actions is likely to develop.
As the
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
©
Ms
CA 94105-2482
Tel: 4152687000
Fax: 4152687522
E-mail: mcervantes@mofo.com
URL: www.mofo.com
© Mondaq Ltd, 2021 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source