Your single source for new lessons on legal technology, e-discovery, and the people innovating behind the scenes.

Cybersecurity News: FBI Intervention on ProxyLogon Hacks

Darian Lewis

At Relativity, securing customer and company data isn’t just a priority—it’s the heart and soul of what we do. Our security team, Calder7, acts around the clock to anticipate threats, mitigate risks, and stay ahead of potential adversaries. Your most sensitive information is well protected in RelativityOne.

Still, as we all know, your organization is only as secure as the people who hold the data—and it isn’t just your RelativityOne data that needs protecting. That’s why strong security awareness education and training should be a critical component of your overall security posture.

To support your efforts in this area, our team here at Calder7 recently published a white paper defining some ProxyLogon vulnerabilities that have made news with hacking incidents. To briefly summarize: These vulnerabilities allow attackers to access systems and deploy malicious software such as ransomware and cryptocurrency miners, as well as leave behind webshells—web-based, shell-like interfaces on a server installed by attackers—and other tools that enable persistent access to compromised data.

In response to this critical issue, Microsoft released some important patches to close these back doors, and the United States government has launched an investigation into related cybercrimes.

Notably, the U.S. Attorney’s Office (USAO) in the Southern District of Texas took an unprecedented step on April 13, 2021, allowing the Federal Bureau of Investigation (FBI) to enter servers compromised via ProxyLogon vulnerabilities, copy any webshells they found on those servers for the purposes of their investigation, and then remove the webshells from the servers.

In their investigation, citing the need for “partnerships with private sector and government colleagues,” the USAO justified this action as a commitment to use all tools available to hold malicious cyber actors accountable for their actions.

It is a nice sentiment, but may have fallen short in achieving the goal of removing unauthorized access to these servers in a couple of ways: It neither patched the Microsoft Exchange vulnerability nor did it remove any other malware or backdoors installed by attackers.

Additionally, many parties have voiced other concerns over the move.

Concerns over New FBI Authority

In specific terms, the logistics of this action have also raised concerns. First, there’s the issue of the notifying servers’ owners of any action taken. The FBI has stated they will make the best effort possible to contact server owners from an FBI email address to notify them their systems were in scope, but anticipated it may not happen for a month or more from the action.

Their reasoning for the delay is based on the fact that the investigation remains ongoing. Details of the scale of the operation, exactly what steps were taken, and other specifics have been redacted from the court order, in the interests of avoiding any interference with the case.

More broadly, concerns over this investigative step include issues of data privacy and the scope of cyber law enforcement. Might the action set a precedent for giving the FBI broad permission to access private servers? If so, critics fear it signals a slippery slope into privacy violations by the law enforcement and intelligence agency.

At the crux of the debate is the issue of interference by government entities in corporate security matters. This is new behavior for the FBI in the cyber realm, and it may well set a precedent for future activity. As many CISOs already struggle to fully understand their organization’s complete data architecture, knowing that any third-party entity could remotely access their servers and make undocumented changes is frightening. (After all, they ask: If someone with the best intentions can manage it, why not someone with nefarious purposes? It’s an uncomfortable possibility no technology leader likes to consider.)

Additionally, concerns have been voiced over what other actions the FBI could have taken or what additional information may have been accessed during their visits into compromised servers. Plenty of individuals and organizations take issue with government agencies “snooping” on private property—analog or digital.

No matter your position on the ethics of the matter, one thing is certain: By using the tools left behind by criminals to gain unauthorized access to servers, the FBI is taking a bold step in the use of hacking as a tool in their law enforcement arsenal.

Moving Forward

With so many details about this new action still protected by redactions, it is difficult to predict what long-term effects the case will have on the future of cybercrime investigations. We are left to wonder what the FBI will do with its new collection of webshells and what other information was examined during the remediation process to further the investigation.

It’s notable that over 92 percent of servers had already been patched at the time of the action. So while the desire to assist the remaining 8 percent is understandable, the unprecedented mechanism used to deliver that assistance leaves many questions. The impacts to compliance requirements, ISO, FedRAMP, HIPAA, and other certifications also remains unknown. Our team will continue to follow this story as it unfolds, so look out for more coverage as updates arise.

In the meantime, you can dig deeper into this story here, here, or here. Let us know your thoughts in the comments or over on the Relativity Community site.

Discover the Security Sandbox Podcast

Darian Lewis was a staff engineer and lead threat intelligence analyst in Relativity's Calder7 security group.