In a recent advisory by the National security agency of the United States, they have warned about a Russian cyber espionage group that has taken to exploiting vulnerabilities in a mail transfer agent.
A Russian hacking group named Sandworm has been very actively exploiting a known vulnerability which is tracked as CVE-2019-10149, in Exim which is a globally used mail transfer agent. Since August of 2019, the hacking group has been abusing unprotected Exim mail servers to plant backdoors and the threat actors are using the hacked servers as an initial point of infection on the victim’s system before moving on to other parts of the victim’s network. The victim’s machine then installs and executes a shell script from a domain that is controlled by the hacker, once the vulnerability is being exploited. After this stage, privilege users are added by the shell scripts, the network security setting is disabled, SSH configuration is updated to allow additional remote access, and then it executes a supplementary script to enable further exploitation.
Thorough scrutiny of networks is advised to both government and private organizations in order to find signs of compromise and update the Exim servers to its latest version.
The Sandworm timeline
The hacker group known as sandworm is believed to be active since the mid-2000s and is credited with the development of BlackEnergy malware which was responsible for the blackouts in Ukraine in the months of December 2015 and December 2016. It is suspected that they are also the authors of the notorious NotPetya ransomware that wreaked havoc globally, causing a loss of billions of dollars.
In June 2019, two weeks after the discovery of a vulnerability tagged as CVE-2019-10149 (Codename, Return of the WIZard) Microsoft warned its Azure customers about an Exim self-spreading worm that can exploit this vulnerability to gain control over the servers functioning on the Azure servers.
Important Points
- Only half of the Exim servers have been updated to the advised version or later according to a survey.
- Following the advisory by the National Security Agency, numerous administrators have patched the servers to ensure they negate the backdoor through which the hackers may plan to invade.
- Since this advisory, the world has been vigilant about cyberespionage activities from across the globe and is making efforts to address the vulnerabilities in their networks.
Consequently, our security experts advise government and individual organizations to check the vulnerabilities of their networks through a dependable solution like Nemasis VMS, which will help them plug any chinks they might have in their networks.
To read more, please check eScan Blog