FBI accessing hundreds of American computers

[RPfan1992]

Not updating your critical software? The FBI might just do it for you.

The FBI has begun quietly accessing hundreds of American computers hacked through Microsoft’s Exchange email program, removing malicious code that the hackers left behind.

The operation, which the Department of Justice announced Tuesday it had authorized with a warrant, highlights the severity of the Exchange vulnerability, which allowed scores of hackers to break into organizations since the beginning of the year.

But it also raises concerns about the FBI's jurisdiction when remedying cyberattacks against Americans.

In some major stings against botnets — giant armies of hacked computers that a hacker will direct to act as a group, often as part of criminal operations — the FBI will hack victims’ computers to remove the code that makes the computers unwilling perpetrators. But the agency’s reaction to the Exchange hack is an example of a far rarer phenomenon: actively removing malicious code from Americans’ computers simply to help them.

Microsoft announced at the beginning of March that hackers working for the Chinese government had been exploiting flaws in the code of Exchange, its program that allows organizations to run their own email servers, to break into computers running that program. As Microsoft and other cybersecurity researchers began working on a fix, the vulnerability seemed to go viral among hackers, and a wide range of them began exploiting the vulnerability all over the world.

A spokesperson for the Chinese Embassy in Washington, Wang Wenbin, said at the time that "China has reiterated on multiple occasions that given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, tracing the source of cyber attacks is a complex technical issue."

Harvey Rishikof, the director of policy and cybersecurity research at the University of Maryland, said that the FBI action was a necessary step, given that cybersecurity has proven so difficult for many Americans.

"In order to level the playing field, we have to be much more active, defensively. And this is a first step," he said.

Many of the hackers who broke into victims’ computers through Exchange left simple scripts, called web shells, which give them the ability to remotely control those systems. While Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency launched awareness campaigns to alert potential victims and tell them how to remedy their systems, researchers have found that thousands of victims weren’t taking those steps.

In a signed affidavit for the operation, an FBI agent whose name is redacted wrote that "most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own."

"By deleting the web shells, FBI personnel will prevent malicious cyber actors from using the web shells to access the servers and install additional malware on them," the agent wrote.

The FBI will notify victims that the agency has removed the code, but isn’t required to do so before May 9, according to the terms of the warrant.

Many of the web shells that the Exchange hackers left behind are simply copied and pasted code used against multiple victims. They require a password to enter, but since those passwords were often reused, it’s easy for an FBI agent to log in, make a copy of the web shell for evidence, and then delete it.

Alan Butler, the president of the Electronic Privacy Information Center, a think tank that advocates for digital privacy, said that while the FBI appeared to be acting justly in this case, the Justice Department should be mindful with how it grants the agency that authority.

"There are significant risks with these techniques — such as unintended destruction of data or misuse of the tools by government agents — that demand close oversight," he said in an email. "It is important that courts strictly limit such orders and that there be public oversight of these activities after the fact."

https://news.yahoo.com/fbi-might-gon...175158160.html

[ClaytonB]

I'll leave the lawyering to the lawyers and the politicking to the politicians, but I'll note that there are some white-hats out there. After a Gmail leak (that I hadn't read about because I generally avoid the news), I had someone log a random Uber ride somewhere in Canada and they used my Gmail address as the address to create the account for that ride. I had a meltdown that someone must have uncovered my password so I went and checked the website listing all accounts leaked and mine was in the list. So I changed my Gmail password. I went back and reviewed that email and nothing about it made sense -- someone created an Uber account using my Gmail, took a 5 mile ride, but never logged into my account (you can see all logins in the Gmail control panel). So I think this was a white-hat that just wanted to get my attention to change my password since I was in the list. A very kind thing of them to do, by the way.

Another more "intrusive" white-hat hack was by Ryan Castellucci who was sifting through addresses on the Bitcoin blockchain to see if anyone of them had a weak password that could be cracked. Using a custom password-cracker, he was actually able to hack several addresses. Most of them had decimal dust so it didn't matter. However, he hit on one address that had tens of thousands of dollars of Bitcoin (back when this occurred, it would be many millions now). He realized that this poor guy could lose all his money but he had no way to contact him. Instead, he sent a small spend transaction from the address (spent a tiny amount of his Bitcoin), then sent another transaction to put that exact same amount back into the Bitcoin address he had hacked. Surprisingly, that didn't get the guy's attention even after several days, so he kept trying to find him, and eventually did get in contact with him, because he was a miner:

[fedupinmo]

I wonder if that's what's going on with the little gray Xs on the icons, even though I've never signed in to OneDrive...

[pcosmar]

Another good reason to not use Windoze.

[Warrior_of_Freedom]

So they exploited a vulnerability and replaced the code with their own? Got it.