Connect with us

Hi, what are you looking for?



NSA Publishes IOCs Associated With Russian Targeting of Exim Servers

The U.S. National Security Agency (NSA) on Thursday published information on the targeting of Exim mail servers by the Russia-linked threat actor known as Sandworm Team.

The U.S. National Security Agency (NSA) on Thursday published information on the targeting of Exim mail servers by the Russia-linked threat actor known as Sandworm Team.

The open-source Exim mail transfer agent (MTA) is used broadly worldwide, powering more than half of the Internet’s email servers and also being pre-installed in some Linux distributions. Roughly 500,000 organizations use Exim within their environments.

In June last year, Exim developers patched CVE-2019-10149, a vulnerability that could allow both local and remote attackers to run arbitrary commands as root. Over 3.5 million machines were found to be at risk at the time, and attacks targeting the flaw emerged soon after.

Now, the NSA says the Russian hackers have been exploiting the vulnerability since at least August 2019, to execute commands and code on affected systems.

“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA,” the NSA says.

Also tracked as TeleBots, Sandworm Team is focused on cyber-espionage. The group’s activity largely overlaps with that of APT28 (also known as Pawn Storm, Fancy Bear, Sofacy, Sednit, Tsar Team and Strontium), but the two use different tools and methods.

Sandworm Team, security researchers say, has been targeting European government organizations, media outlets in France and Germany, political opposition groups in Russia, and LGBT organizations with links to Russia. The group was also connected to attacks on Ukraine’s power grid.

Advertisement. Scroll to continue reading.

In addition, the threat actor is believed to have orchestrated attacks on the 2016 U.S. presidential election, and to be behind the June 2017 NotPetya cyberattack and the VPNFilter botnet.

According to the NSA’s advisory, Sandworm Team has been targeting unpatched Exim mail servers, on their victims’ public facing MTAs, by sending a command in the MAIL FROM field of an SMTP (Simple Mail Transfer Protocol) message.

The threat actor would modify parameters in the command based on deployment. Successful exploitation of CVE-2019-10149 would result in the victim machine downloading and executing a shell script from a Sandworm-controlled domain.

Since at least August 2019, Sandworm Team was observed launching such attacks from two IP addresses and one domain:,, and hostapp(.)be, the NSA explains.

“Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used. Using a previous version of Exim leaves a system vulnerable to exploitation,” the NSA warns.

Related: Russian Hackers Target European Governments Ahead of Elections: FireEye

Related: Hackers Target Recent Vulnerability in Exim Mail Server

Related: NSA: Russian Agents Have Been Hacking Major Email Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...