NSA: Russian Hackers Targeting Vulnerable Email ServersSandworm Group Has Been Exploiting Flaw in Exim Servers Since 2019
A Russian government-backed hacking group has been quietly exploiting a critical remote code execution vulnerability in Exim email servers since 2019, the U.S. National Security Agency warns in an alert.
NSA says this hacking campaign is the work of a group called Sandworm – also known as Fancy Bear, BlackEnergy Actors, Cyber Berkut, CyberCaliphate and Pawnstorm - that's been tied to an earlier series of sophisticated cyberespionage campaigns in the U.S. and Europe (see: Hackers Leak Hundreds of German Politicians' Personal Data).
Recently, Sandworm has been targeting Exim, a commonly used mail transfer agent found in Unix operating systems. The hackers are exploiting an email receipt vulnerability in Exim versions 4.87 to 4.91, tracked as CVE-2019-10149, which could allow for remote code execution within the victim's web server, according to the NSA alert.
If successfully exploited, this vulnerability enables the attackers to run commands with root privileges that can allow them to install programs, modify data and create new accounts, according to the alert.
Although Exim released a patch for this flaw in June 2019, the NSA notes that Sandworm continues to target unpatched and vulnerable Exim email servers.
"Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities," the NSA notes. "Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used."
The Sandworm hackers begin their attack by exploiting the CVE-2019-10149 vulnerability, which enables an unauthenticated remote attacker to send a specially crafted email that then allows the attacker to perform commands with root privileges in the vulnerable email server, according to the NSA alert.
The attackers exploit this by sending a command in the "mail from" field in the simple mail transfer protocol - an electronic mail transfer protocol feature - to Exim 4.87 users who are using internet-facing mail transfer agents, according to the alert.
After successfully exploiting the vulnerability, the attackers then download and execute a shell script from a Sandworm-controlled domain, which can then performs the following activities:
- Add privileged users;
- Disable network security settings;
- Update secure shell configurations to enable additional remote access;
- Execute an additional script to enable follow-on exploitation.
Jake Williams, president of cybersecurity consultancy Rendition Infosec and a former NSA staffer, notes that by exploiting the Exim vulnerability, the attackers might be able to access stored messages in the email server. That’s because many simple mail transfer protocol servers are configured with POP or IMAP services, which enable reading and downloading of emails.
Williams also warns that attackers that exploit these types of server vulnerabilities potentially could gain full control of the server and launch more attacks.
"Email servers are central to most infrastructures. An attacker that compromises this vulnerability would in most cases gain full control over the email server and could read all new incoming mail or use the server as a jumping off point to pivot to other machines inside the network," Williams tells Information Security Media Group. "Considering the amount of sensitive data in many email inboxes, it's easy to see why this would be a very tempting target for attackers."
Jack Mannino, CEO of security firm nVisium, notes: "Gaining root access within an organization's perimeter gives an attacker the ability to exfiltrate sensitive data and access other important internal systems without being detected.”
In addition to patching unsecured Exim software, the NSA recommends system administrators routinely monitor for unauthorized system modification.
The NSA also suggests limiting user access privileges while installing public-facing software such as mail transfer agents as well as using network segmentation to separate roles and requirements. "In addition, [mail transfer agents] should only be allowed to send outbound traffic to necessary ports … and unnecessary destination ports should be blocked," according to the alert.
Sandworm is a division within the Russia's General Staff Main Intelligence Directorate - or GRU – that’s referred to as Unit 74455. In October 2019, Western intelligence agencies linked the group to a cyberattack that targeted the country of Georgia, crippling at least 2,000 government, news media and court websites over the course of one day (see: US, UK Blame Russia for Cyberattack in Country of Georgia).
Also in 2019, the U.S. Justice Department noted that several of the hackers and the commanding officers linked to Unit 74455 were part of the 2016 U.S. presidential election interference campaign (see: 10 Takeaways: Russian Election Interference Indictment).
Managing Editor Scott Ferguson contributed to this report.