美国联邦调查局上月被授权从运行微软Exchange服务器内部版本的机器上移除恶意网络外壳，此举引起了网络安全专业人士的注意，并引发了一场关于政府应对这些攻击中所扮演角色的对话. 官员们说，他们正试图联系被感染机器的所有者和操作者；他们没有提前通知. 这种感觉与执法部门拆除僵尸网络不同，后者通常涉及跟踪机器人与之通信的命令和控制服务器，中断通信，并获得对其的控制权.
这次行动 特别授权 这项针对美国电子邮件服务器的活动是微软披露了严重的Exchange服务器漏洞后6周宣布的 已被使用 以全球数千个网络为目标。攻击者可以将这些缺陷链接一起，以危害已公开的服务器并窃取数据等操作
这些感染通常从部署一个webshell开始，敌方可以使用它与目标机器进行通信，并分发文件，使其感染其他恶意软件。虽然许多目标系统的管理员能够成功地从数千台设备上删除这些Web shell，但其他人却没有。Web shell一些目标服务器上保持不变，没有被削弱
联邦调查局 已经参与 几次行动中 打击网络犯罪。最近，官员们与全球执法机构联手打倒了这起案件 表情 僵尸网络
打乱敌人的目标 CrowdStrike Services总裁、前FBI执行助理局长肖恩·亨利（Shawn Henry）说，执法部门网络犯罪中的作用是一个复杂的问题，因为这其中很多事情以前从未做过，立法没有跟上技术的步伐，事情进展很快。私营部门的雇员经常防御训练有素的军事专业人员
The FBI last month was authorized to remove malicious Web shells from machines running on-premises versions of Microsoft Exchange Server, a move that caught the eyes of cybersecurity pros and sparked a conversation about the government’s role in responding to these attacks.
This operation, which specifically authorized the activity for email servers in the United States, was announced some six weeks after Microsoft disclosed critical Exchange Server vulnerabilities that have since been used to target thousands of networks around the world. An attacker could chain the flaws together to compromise an exposed server and steal data, among other actions.
These infections commonly start with deploying a Web shell, which adversaries can later use to communicate with target machines and distribute files to infect them with additional malware. While many admins of target systems were able to successfully remove these Web shells from thousands of devices, others didn’t. Web shells persisted, unmitigated, on some target servers.
They soon became the object of an FBI operation that removed the remaining Web shells of an early hacking group. The Web shells could have been used to “maintain and escalate persistent, unauthorized access to U.S. networks,” the Justice Department wrote in a statement. Officials conducted the removal by issuing a command through the Web shell to the server, which was designed to cause the server to only delete the Web shell, as identified by its unique file path.
It’s important to note that while the FBI copied and removed Web shells, it did not patch any of the vulnerabilities, nor did it search for or remove additional malware or hacking tools that may have been present on target servers. Officials said they were attempting to contact the owners and operators of infected machines following the operation; they did not give advance notice.
The FBI has been involved in several operations against cybercrime. Officials most recently teamed up with global law enforcement agencies to bring down the Emotet botnet.
But this operation, in which the FBI was present on enterprise servers without owners’ knowledge, caught the eyes of many. It feels different than law enforcement dismantling a botnet, which often involves tracking a command-and-control server that the bots communicate with, disrupting communication, and gaining control over it.
“That’s a nuanced difference, but it’s a little different than the FBI specifically knowing endpoints that are compromised, remoting in, and deleting a Web shell,” says Katie Nickels, threat intelligence director at Red Canary, who feels “pretty divided” about the operation.
For Nickels, and for many defenders, it was difficult in early March to see many organizations compromised in the Exchange Server attacks. Security practitioners know there are teams that aren’t current on security news and don’t know to patch or detect Web shells, she explains. It’s frustrating, as a defender, to know all these businesses are going to be compromised and not know about it.
“Part of me as a defender is really happy that someone is trying to help these organizations remove a Web shell,” she says. “Of course, there’s the other side: What kind of precedent does this set, allowing law enforcement to go into a computer … what kind of precedent does that set for the future? When could these operations take actions in the future, and what could be the implications of that? That’s the other side.”
“I feel squarely torn, and that’s what I’ve heard from most people,” Nickels adds. In the past few months, as the world learned about SolarWinds and the Exchange Server attacks, the security community has seen a growing disparity between organizations prepared to face these incidents and those that aren’t — and a need to help lacking companies protect themselves.
A Goal of Disrupting the Adversary
Law enforcement’s role in cybercrime is an intricate matter because much of this has never been done before, legislation hasn’t caught up with technology, and things move quickly, says Shawn Henry, president of CrowdStrike Services and former FBI executive assistant director. Employees in the private sector are often defending against trained military professionals.
“There’s so many complexities there, and that’s why these things are never easy,” he says of navigating the myriad laws, issues, amendments, and ramifications of intervening. “If I [believe] the government’s primary responsibility is to protect the citizens, I think that their role in a case like this is to disrupt infrastructure. That is an area that the government can have success in.”
The government’s role in fighting crime is often focused on deterrence. In the physical world, this could mean seizing assets bought with stolen funds, bank accounts used to launder money, and warehouses and other facilities used to store and sell illicit products. Criminals can’t operate in an environment where their infrastructure is destroyed, and their return-on-investment drops.
Henry applies the same concept to cybersecurity, an area in which attackers “are operating with impunity” and often out of places where the host country can’t be expected to intervene.