Press "Enter" to skip to content

The FBI accesses Exchange Servers proactively

So… the FBI got court approval to access Exchange Servers around the US that were vulnerable to attack.  And they did.   They removed web shells left behind by hackers.   And they did it without prior notification in a proactive step. 

This was done via a search warrant, where the FBI used the warrant to access the still compromised servers, copy the web shell as evidence, and then remove the web shell from the server.     The FBI stated that they believed the owners of the still-compromised web servers did not have the technical ability to remove them on their own and that the shells posed a significant risk to the victim.     There was a specific concern that notifying the owners could compromise the operation, and so was granted notification until after the operation was finished.

While we’re talking Exchange, there’s a new vulnerability announced on Tuesday the 13th.

Why do we care?

I’ve made my position clear that warrants are both the existing and well known way to handle government actions.      While my hot take was a bit of outrage, the more I considered it, the more I still think this is logical.

Lets make it physical.   The police are aware of a break in at a local business.    They investigate, with a warrant, and find that yes, the business was breached, and there is a device attached to the cash register that takes currency and puts it aside for the robbers.    The police, having identified the crime… they would turn the device off, right?   You’d want them to do that.   I know I would, particularly if they have the skills and I don’t.

Sure, it’s a stretched analogy, but you get the point.       There’s clearly a desire on law enforcement’s part to be proactive.  That’s a change, and that’s why we care.