The US National Security Agency (NSA) released a new warning that the Russian state cyber attackers are exploiting a vulnerability in the Exim Email server for the last nine months.
The Exim is a mail transfer agent(MTA) software that was developed by the University of Cambridge which is mainly used on the Unix-operating System. It also comes with many popular Linux distributions like Red Hat and Debian. It is thought to run on millions of Email servers globally.
NSA warned that organizations for the failed patch CVE-2019-10149 that was recently fixed in June 2019 that may be at risk from the famous Sandworm Group.
The Cyber attacker exploits the victim by using Exim software on their public-facing MTAs by sending the command in ‘MAIL FROM field of an SMTP(Simple Mail Transfer Protocol) message.
The attackers which unauthenticated take remote and send a specially crafted email to execute commands with the root privileges and allow the cyber attackers to install the malicious program, change the data, and create new accounts.
When the CVE-2019-10149 patch is exploited by the sandworm group and after that, they target the machine where they download and execute the shell script from the domains which are under sandworm group control.
When the new script executed by the attacker then some changes they can do like:
- Update SSH Configuration
- Add privileged users
- Disable the Network security setting
This is all the above done to enable additional remote access that can execute an additional script in the shell to keep enable of follow-on exploitation.
The NSA mentioned and called organizations for the upgrade of the Exim and install 4.93 or the newer version. The NSA also asked to use network-based security devices to detect and block CVE-2019-10149 the attempts of exploitation.
The Sandworm is known for the most sophisticated state hacking outfit. This is also predicted that it may be linked to the BlackEnergy malware that we used for attacks in Ukrainian power stations in 2015 and 2016 which basically cause the major outrage during winter. The campaigns are especially against the NATO members and European Government in 2019
[…] Washington Post and Wall Street Journal that basically claimed that the product may be used by the Russian intelligence to harvest the data potentially with the Pc […]