If You Could Just Go Ahead And Disrupt That Microsoft Exchange Server Compromise, That'd Be Great!
If you weren't already paying attention to the Microsoft Exchange Server vulnerability, the extraordinary measures taken by the FBI this week should definitely serve as your wake-up call.
In a warrant, since unsealed and found here, the FBI sought and was granted the authorization to remove malicious web shells already installed on vulnerable computers across multiple jurisdictions in the United States. This was simply groundbreaking.
As every US citizen should know, the Fourth Amendment requires any search conducted by the US Government to be reasonable. In practice, this translates to a requirement that the scope of a search warrant must be limited to very specific items at very specific locations. This can be particularly challenging in the realm of Cyber Crime, where evidence can typically take the form of zeroes and ones "located" behind various domains, or even the domains themselves. Proposing a search for these new types of digital "objects" often challenges judicial understanding of the established concepts of Searches and Seizures, which have been developed over centuries to apply to the physical world. This can be a herculean task for FBI Special Agents and FBI Cyber Law folk, and the local Assistant United States Attorney, who have to overcome this inertia through relentless, and painstaking (and often just plain repetitive) explanations to higher-ups at Headquarters and Main Justice.
Even with this helpful intervention from the FBI, if you're reading this and still haven't addressed the Exchange Server vulnerability in your own enterprise systems, you still have work to do. While the warrant allowed the disruption of existing compromises, it did not patch any of the vulnerabilities themselves. If you still need a reason to get on it, here it is: honor the extraordinary work of the FBI Cyber agents and AUSAs, who undoubtedly had to fight and push through some impressive institutional resistance to get this effort authorized. If you have questions about how to remediate the vulnerability see the Joint Advisory here for specifics, or reach out to us.
We doff our powdered wig to the FBI Special Agents and the Southern District of Texas United States Attorney Office. The work done here was not without risk, but it was critically needed, truly groundbreaking and, as a Security practitioner, much appreciated.