29 May 2020

Sandworm hacking group exploiting Exim flaw since at least 2019


Sandworm hacking group exploiting Exim flaw since at least 2019

The US National Security Agency (NSA) has warned about a new wave of cyber attacks against email servers, conducted by a threat actor known as Sandworm Team.

In a security advisory published Thursday the agency said the Sandworm hackers have been exploiting a vulnerability (CVE-2019-10149) in Exim mail transfer agent (MTA) software since at least August 2019.

Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well. The vulnerability in question, which is also known as “The Return of the WIZard” flaw, was found in the Exim mail server versions 4.87 to 4.91 (included). The flaw stems from the fact that the application fails to properly handle the recipient addresses due to the code in deliver_message() which allows an attacker to execute arbitrary commands.

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute commands with root privileges and to install software, modify data, and create new accounts by sending specially crafted email. The flaw was fixed in Exim version 4.92 (released on February 10, 2019).

“When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” according to the NSA’s advisory.

This shell script would:

  • Add privileged users

  • Disable network security settings

  • Update SSH configurations to enable additional remote access

  • Execute an additional script to enable follow-on exploitation

The NSA is urging system administrators to update Exim by installing version 4.93 or newer to mitigate the above mentioned flaw and other vulnerabilities.

“Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used,” the agency added.

Back to the list

Latest Posts

ColonialPipeline hackers: "Our goal is to make money, and not creating problems for society"

ColonialPipeline hackers: "Our goal is to make money, and not creating problems for society"

The DarkSide ransomware gang said it will choose their targets more carefully in the future.
11 May 2021
FBI and ACSC warn of ongoing Avaddon ransomware campaign

FBI and ACSC warn of ongoing Avaddon ransomware campaign

Avaddon threat actors are targeting entities in multiple countries, including Australia, the US, the UK, France, Germany, Canada, and others.
11 May 2021
Four Eastern European nationals plead guilty for running “bulletproof” hosting

Four Eastern European nationals plead guilty for running “bulletproof” hosting

The group rented IP addresses, servers, and domains to cybercriminals, who used the infrastructure to spread malware.
11 May 2021