Show vulnerabilities with patch / with exploit
29 May 2020

Sandworm hacking group exploiting Exim flaw since at least 2019


Sandworm hacking group exploiting Exim flaw since at least 2019

The US National Security Agency (NSA) has warned about a new wave of cyber attacks against email servers, conducted by a threat actor known as Sandworm Team.

In a security advisory published Thursday the agency said the Sandworm hackers have been exploiting a vulnerability (CVE-2019-10149) in Exim mail transfer agent (MTA) software since at least August 2019.

Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well. The vulnerability in question, which is also known as “The Return of the WIZard” flaw, was found in the Exim mail server versions 4.87 to 4.91 (included). The flaw stems from the fact that the application fails to properly handle the recipient addresses due to the code in deliver_message() which allows an attacker to execute arbitrary commands.

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute commands with root privileges and to install software, modify data, and create new accounts by sending specially crafted email. The flaw was fixed in Exim version 4.92 (released on February 10, 2019).

“When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” according to the NSA’s advisory.

This shell script would:

  • Add privileged users

  • Disable network security settings

  • Update SSH configurations to enable additional remote access

  • Execute an additional script to enable follow-on exploitation

The NSA is urging system administrators to update Exim by installing version 4.93 or newer to mitigate the above mentioned flaw and other vulnerabilities.

“Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used,” the agency added.

Back to the list

Latest Posts

Weekly security roundup: July 13, 2020

Weekly security roundup: July 13, 2020

A short overview of last week's top stories in the world of cyber security.
13 July 2020
Hackers are attempting to exploit recent Citrix vulnerabilities

Hackers are attempting to exploit recent Citrix vulnerabilities

Citrix downplayed the impact of the vulnerabilities and said they are less likely to be exploited compared to CVE-2019-19781.
13 July 2020
Zoom patches critical bug affecting Zoom client for Windows

Zoom patches critical bug affecting Zoom client for Windows

The company has also released a planned update for Phone and Web users, which brings AES-256 bit encryption.
13 July 2020