The U.S. National Security Agency (NSA) on Thursday published information on the targeting of Exim mail servers by the Russia-linked threat actor known as Sandworm Team.
The open-source Exim mail transfer agent (MTA) is used broadly worldwide, powering more than half of the Internet’s email servers and also being pre-installed in some Linux distributions. Roughly 500,000 organizations use Exim within their environments.
In June last year, Exim developers patched CVE-2019-10149, a vulnerability that could allow both local and remote attackers to run arbitrary commands as root. Over 3.5 million machines were found to be at risk at the time, and attacks targeting the flaw emerged soon after.
Now, the NSA says the Russian hackers have been exploiting the vulnerability since at least August 2019, to execute commands and code on affected systems.
“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA,” the NSA says.
Also tracked as TeleBots, Sandworm Team is focused on cyber-espionage. The group’s activity largely overlaps with that of APT28 (also known as Pawn Storm, Fancy Bear, Sofacy, Sednit, Tsar Team and Strontium), but the two use different tools and methods.
Sandworm Team, security researchers say, has been targeting European government organizations, media outlets in France and Germany, political opposition groups in Russia, and LGBT organizations with links to Russia. The group was also connected to attacks on Ukraine’s power grid.
In addition, the threat actor is believed to have orchestrated attacks on the 2016 U.S. presidential election, and to be behind the June 2017 NotPetya cyberattack and the VPNFilter botnet.
According to the NSA’s advisory, Sandworm Team has been targeting unpatched Exim mail servers, on their victims’ public facing MTAs, by sending a command in the MAIL FROM field of an SMTP (Simple Mail Transfer Protocol) message.
The threat actor would modify parameters in the command based on deployment. Successful exploitation of CVE-2019-10149 would result in the victim machine downloading and executing a shell script from a Sandworm-controlled domain.
Since at least August 2019, Sandworm Team was observed launching such attacks from two IP addresses and one domain: 126.96.36.199, 188.8.131.52, and hostapp(.)be, the NSA explains.
“Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used. Using a previous version of Exim leaves a system vulnerable to exploitation,” the NSA warns.