Warning: Sandworm Team Attacking Exim Email Servers

Recently, the US National Security Agency (NSA) released an advisory, warning about a Russian cyberespionage group that has been exploiting vulnerabilities in a mail transfer agent.

Alert. Alert. Alert.

  • Sandworm Team, a Russian hacking group, has been actively exploiting a known vulnerability tracked as CVE-2019-10149 in Exim, a globally used mail transfer agent.
  • According to the agency, Sandworm has been abusing unprotected Exim mail servers to plant backdoors since August 2019. The attackers are leveraging the hacked servers as an initial infection point on target systems and moving to other parts of the victim's network.
  • When the vulnerability is exploited, the victim machine installs and executes a shell script from the hacker’s controlled domain.
  • Subsequently, the shell script adds privileged users, disables network security settings, updates SSH configurations to allow additional remote access, and executes a supplementary script to enable follow-on exploitation.
  • The NSA has advised both government and private organizations to scrutinize the signs of compromise and update their Exim servers to version 4.93.

Digging the worm out of the sand

  • Active since the mid-2000s, Sandworm is believed to be the hacker group that developed the BlackEnergy malware responsible for power blackouts in Ukraine in December 2015 and December 2016.
  • It is also suspected that Sandworm developed the notorious NotPetya ransomware that caused a loss of billions of US dollars to companies across the globe.
  • In June 2019, the CVE-2019-10149 vulnerability was discovered and codenamed as the "Return of the WIZard."
  • Two weeks after the disclosure of the vulnerability, Microsoft warned Azure customers about an Exim self-spreading worm that can exploit this vulnerability to gain control over the servers functioning on Azure infrastructure.

Points to note

  • According to Mail (MX) Server Survey, only a half of all Exim servers have been updated to version 4.93 or later, leaving a large number of Exim servers at risk.
  • Following the NSA alert, many server administrators have patched their servers and removed the backdoors which will stop the Sandworm hackers from invading many of the Exim servers in the near future.
  • Moreover, the advisory has drawn the world's attention to Russia’s cyberespionage activities. Since late 2018, the Five Eyes countries have started publicizing information about the Russian cyberattacks. Furthermore, the malicious activities of China, Iran, and North Korea are also being highlighted as well.