Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

NSA: Russian Hackers Targeting Vulnerable Email Servers

Sandworm Group Has Been Exploiting Flaw in Exim Servers Since 2019
NSA: Russian Hackers Targeting Vulnerable Email Servers
Photo: Wikipedia

A Russian government-backed hacking group has been quietly exploiting a critical remote code execution vulnerability in Exim email servers since 2019, the U.S. National Security Agency warns in an alert.

See Also: August Spotlight | Automated Threat Intelligence Correlation

NSA says this hacking campaign is the work of a group called Sandworm – also known as Fancy Bear, BlackEnergy Actors, Cyber Berkut, CyberCaliphate and Pawnstorm - that's been tied to an earlier series of sophisticated cyberespionage campaigns in the U.S. and Europe (see: Hackers Leak Hundreds of German Politicians' Personal Data).

Recently, Sandworm has been targeting Exim, a commonly used mail transfer agent found in Unix operating systems. The hackers are exploiting an email receipt vulnerability in Exim versions 4.87 to 4.91, tracked as CVE-2019-10149, which could allow for remote code execution within the victim's web server, according to the NSA alert.

If successfully exploited, this vulnerability enables the attackers to run commands with root privileges that can allow them to install programs, modify data and create new accounts, according to the alert.

Although Exim released a patch for this flaw in June 2019, the NSA notes that Sandworm continues to target unpatched and vulnerable Exim email servers.

"Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities," the NSA notes. "Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used."

Exim Vulnerability

The Sandworm hackers begin their attack by exploiting the CVE-2019-10149 vulnerability, which enables an unauthenticated remote attacker to send a specially crafted email that then allows the attacker to perform commands with root privileges in the vulnerable email server, according to the NSA alert.

The attackers exploit this by sending a command in the "mail from" field in the simple mail transfer protocol - an electronic mail transfer protocol feature - to Exim 4.87 users who are using internet-facing mail transfer agents, according to the alert.

After successfully exploiting the vulnerability, the attackers then download and execute a shell script from a Sandworm-controlled domain, which can then performs the following activities:

  • Add privileged users;
  • Disable network security settings;
  • Update secure shell configurations to enable additional remote access;
  • Execute an additional script to enable follow-on exploitation.

Critical Vulnerability

Jake Williams, president of cybersecurity consultancy Rendition Infosec and a former NSA staffer, notes that by exploiting the Exim vulnerability, the attackers might be able to access stored messages in the email server. That’s because many simple mail transfer protocol servers are configured with POP or IMAP services, which enable reading and downloading of emails.

Williams also warns that attackers that exploit these types of server vulnerabilities potentially could gain full control of the server and launch more attacks.

"Email servers are central to most infrastructures. An attacker that compromises this vulnerability would in most cases gain full control over the email server and could read all new incoming mail or use the server as a jumping off point to pivot to other machines inside the network," Williams tells Information Security Media Group. "Considering the amount of sensitive data in many email inboxes, it's easy to see why this would be a very tempting target for attackers."

Jack Mannino, CEO of security firm nVisium, notes: "Gaining root access within an organization's perimeter gives an attacker the ability to exfiltrate sensitive data and access other important internal systems without being detected.”

Security Recommendation

In addition to patching unsecured Exim software, the NSA recommends system administrators routinely monitor for unauthorized system modification.

The NSA also suggests limiting user access privileges while installing public-facing software such as mail transfer agents as well as using network segmentation to separate roles and requirements. "In addition, [mail transfer agents] should only be allowed to send outbound traffic to necessary ports … and unnecessary destination ports should be blocked," according to the alert.


Sandworm is a division within the Russia's General Staff Main Intelligence Directorate - or GRU – that’s referred to as Unit 74455. In October 2019, Western intelligence agencies linked the group to a cyberattack that targeted the country of Georgia, crippling at least 2,000 government, news media and court websites over the course of one day (see: US, UK Blame Russia for Cyberattack in Country of Georgia).

Also in 2019, the U.S. Justice Department noted that several of the hackers and the commanding officers linked to Unit 74455 were part of the 2016 U.S. presidential election interference campaign (see: 10 Takeaways: Russian Election Interference Indictment).

Managing Editor Scott Ferguson contributed to this report.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.