NSA Warns of Exim Flaw Being Exploited by Russian Actors
Contact Us | |
Free Demo | |
Chat | |
In an advisory last week, the NSA warned that a flaw in the Exim mail transfer agent (MTA) has been exploited by Russian cyber military actors since last August.
Government intelligence officials are encouraging users to patch any mail servers they oversee that use an unpatched version of the Exim mail transfer agent.
The National Security Agency issued a warning last week indicating that attackers affiliated with Sandworm, the much-discussed group of hackers working for Russia's military intelligence agency, have been taking aim at a vulnerability in the MTA, CVE-2019-10149.
As the CVE name suggests, the vulnerability isn’t new, it’s existed for nearly a year.
An initial campaign targeting the vulnerability made the rounds last June, shortly after it was exploited in the wild, in an attempt to execute commands and code on vulnerable machines. At the time, nearly 3.5 million machines were at risk. Fewer machines, although still a good number, one million, appear to be vulnerable still, according to reports.
The vulnerability can allow both local and remote attackers to run arbitrary commands as root.
Exim, a free mail transfer agent available on most Unix systems, and some Linux systems, runs almost 57 percent of the internet’s email servers, according to research carried out last summer.
In an alert last Thursday, the NSA claimed that Russian actors have been exploiting the vulnerability since at least last August to “add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”
Following exploitation, the agency says its seen victim machines download and execute a shell script from a Sandworm-controlled domain.
In addition to adding privileged users and disable network security, the script has also been seen updating SSH configurations to enable additional remote access.
The fact that the NSA is circulating guidance (.PDF) around the issue shows attackers have some renewed urgency behind the vector.
According to the NSA, the agency has seen Russian attackers exploit victims using Exim software on their public facing MTAs by sending a command in the "MAIL FROM" field of an SMTP (Simple Mail Transfer Protocol) message.
Here’s an example, via the agency:
If admins haven’t already, they should apply the most recent Exim updates, which bring the software to version 4.94, immediately, either via download or via their Linux distribution's package manager.
Recommended Resources
All the essential information you need about DLP in one eBook.
Expert views on the challenges of today & tomorrow.
The details on our platform architecture, how it works, and your deployment options.