The US NSA (National Security Agency, based Fort Meade, Maryland) has warned that a problem in the Exim mail transfer agent (MTA) has been undoubtedly exploited by Russian cyber military related players, beginning in August 2019.
US Govt. intelligence sources are suggesting users patch any mail servers they control that use an un-patched version of the ‘Exim’ mail transfer agent.
The National Security Agency issued a warning last week . This indicated that attackers linked with ‘Sandworm’, the much-discussed group of hackers allegedly working for Russia’s military intelligence agency (GRU), have adopted a laser-like focus at a perceived vulnerability in the MTA, ‘CVE-2019-10149.’
A CVE name is an indication that this vulnerability isn’t new – it’s believed to have existed for nearly 1 year so far.
Initial focusing on the vulnerability was noted from last June, soon after it was picked up ‘exploited in the wild’, in an attempt to execute commands & code on any found vulnerable machines. It is believed that then, nearly 3.5m machines were potentially at risk. Less PCs, 1m (a big number), seem to be still at risk, reports have further indicated.
This vulnerability can let both local & also remote hackers to run ‘arbitrary commands’ as ‘root.’
‘Exim’, a free mail transfer agent available to most Unix systems, & some Linux systems, is known to run nearly 57% of the internet’s email servers, says research in Summer 2019.
In the alert, delivered last week, the NSA suggested that Russian sources have been exploiting the vulnerability since at least Aug. 2019 in order to “add privileged users, disable network security settings, execute further scripts for additional network exploitation; pretty much any attacker’s ‘dream access’ – as long as that network is using an un-patched version of Exim MTA.”
After exploitation, the agency explained that its seen targeted machines first download, & then execute a ‘shell script’ from a ‘Sandworm’ controlled domain.
Further to adding privileged users & disable network security, the script has also been observed updating SSH configurations to enable further remote access.
The mere fact that the NSA is circulating guidance (.PDF) about this does indicate that hackers have now refreshed urgency.
NSA sources have seen Russian hackers exploit targets using Exim software on their public facing MTAs through sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message.
The advice to professionals & users is ‘to stay vigilant’.