Russian Sandworm Group Targets Exim Mail Servers

A Russian hacking gang referred to as Sandworm (Fancy Bear) is exploiting an Exim Mail Transfer Agent vulnerability. The flaw, labeled as CVE-2019-10149, is a remote code execution vulnerability that was brought in in Exim version 4.87 and is often utilized for Unix-based systems.

An update to correct the vulnerability was released on June 5, 2019, however, a lot of companies still did not update Exim and remained vulnerable to attack.

The vulnerability may be exploited by sending a distinctively created email which enables the execution of commands with root privileges. Following the vulnerability exploitation, an attacker can install programs, execute code they choose, change data, create new accounts, and potentially gain access to stored messages.

Based on a recent National Security Agency (NSA) advisory, Sandworm hackers exploit the flaw by integrating a malicious command in an SMTP message’s MAIL FROM field. Attackers are able to exploit companies using vulnerable Exim versions that have internet-facing mail transfer agents.

After the vulnerability exploitation, the hackers download a shell script from a remote server and use it to add privileged users, alter SSH configurations to permit remote access, deactivate network security settings, and execute an additional script to permit further exploitation. This would most likely allow the hackers to get complete control of the email server. If that happens, all incoming and outgoing email may be intercepted and exfiltrated.

Sandworm is part of Russia’s General Staff Main Intelligence Directorate, otherwise referred to as GRU. The hackers have earlier carried out attacks on European and U.S. countries. The group has done a number of cyberattacks on foreign governing bodies that are assumed to have influenced Russia’s 2016 presidential election.

The NSA has recommended mitigations to stop vulnerability exploitation. The most important recommendation is updating Exim to version 4.93 or a later release right away. The update will fix the CVE-2019-10149 vulnerability as well as other vulnerabilities that hackers can possibly exploit. After the update, administrators ought to be sure that software versions are routinely checked and updated the moment new versions are introduced. Exim Mail Transfer Agent software may be updated via the Linux distribution’s package manager or direct from Exim.

In case it can’t be updated right away, perhaps exploit attempts could be identified and blocked. For instance, “Snort 3 rule 1-50356 notifies about exploit attempts by default for signed-up users of a Snort Intrusion Detection System (IDS). Administrators must also regularly verify that there are no unauthorized system alterations like additional accounts and SSH keys. Changes would suggest a compromise.

The NSA advises restricting user access privileges if installing public-facing mail transfer agents and network segmentation must be utilized to distinguish roles and requirements. It is essential to keep public mail transfer agents distinct from sensitive internal resources in a DMZ enclave, and firewall rules ought to be set to prohibit unexpected traffic from accessing trusted internal resources. It is likewise vital to only enable mail transfer agents to send outbound traffic to required ports. All other ports must be blocked.