Russian military hackers targeting unpatched Exim mail servers, NSA warns

The U.S. National Security Agency (NSA) has warned that Russian military hackers are exploiting a vulnerability in the unpatched Exim mail transfer agent (MTA) software to disable security settings and carry out network exploitation.

In a press release issued Thursday, NSA said that Russian military hackers found exploiting the CVE-2019-10149 vulnerability in Exim mail transfer agent (MTA) software since August last year belong to Russia's General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST) and are known as the Sandworm Team.

"Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August. Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well," the agency said.

"The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code of their choosing. The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA," it added.

The vulnerability was patched last year by Exim through a software update but NSA believes that many Exim users are still running old versions of the MTA software and are therefore vulnerable to Russian state-sponsored hackers.

In a cyber security advisory document detailing the exploit, NSA said that by sending a specially crafted email, an unauthenticated attacker can execute commands with root privileges to install programs, modify data, and create new accounts. Victim machines would subsequently download and execute a shell script from a Sandworm-controlled domain and the script will be able to add privileged users, disable network security settings, update SSH configurations to enable additional remote access, and execute an additional script to enable follow-on exploitation.

"Security principles such as least access models and defense-in-depth should be applied when installing public facing software such as MTAs and can help prevent exploitation attempts from being successful. Network segmentation should be used to separate networks into zones based on roles and requirements. Public facing MTAs should be isolated from sensitive internal resources in a demilitarized zone (DMZ) enclave," NSA added.

Russian military hackers targeted UK-based organisations as well

This isn't the first time that malicious activities of Russian military hackers associated with GRU has been red-flagged by Russia's enemies. In October 2018, the UK's NCSC said that it had evidence to prove that Russia's premier military intelligence agency GRU was behind a large number of "indiscriminate and reckless cyber attacks" on political institutions, businesses, media, and sports organisations.

"The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.

"Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability," said Foreign Secretary Jeremy Hunt.

The NCSC announced that a number of well-known Russian hacker groups that have caused mayhem across the world in the past few years are composed of GRU agents and are therefore, actively supported by the Russian government. These hacker groups include APT 28, Fancy Bear, Sofacy, Pawnstorm, STRONTIUM, Sandworm, Sednit, CyberCaliphate, Voodoo Bear, Cyber Berkut, and BlackEnergy Actors.

The NCSC added that it can state with "almost certainty" that GRU agents were behind the BadRabbit Ransomware that caused operational disruptions in Ukrainian and Russian organisations such as Kyiv metro, Odessa airport and Russia's central bank, the cyber-attack on WADA's Anti-Doping Administration and Management system in 2017, the cyber-atttack on the U.S. Democratic National Committee in 2016, and the theft of multiple email accounts of a small UK-based TV station between July and August 2015.

Commenting on Russian hackers targeting devices running outdated Exim software, Wai Man Yau, Vice President of Sonatype, said that with as many as 57% of publicly reachable mail-servers on the Internet using Exim, if businesses are using unpatched versions, the scale of attacks could be huge.

“The flaw has been listed on National Vulnerability Database since 2019, and safe versions are available, so in theory, companies should be protected. But theory and practice are sadly very different, and all too often companies fail to fix faults in their software.

“Companies using Exim must patch their software urgently to prevent a breach. However, it’s important that as an industry, we recognise that these kinds of attacks aren’t isolated events. Vulnerabilities that are known, but older, are prime targets for attack campaigns - companies without open source practices may forget such flaws exist. But hackers won't.

“This latest incident shows that it has become open season on open source, and until software supply chain security best practices becomes commonplace, hacker groups will continue to target such applications,” Yau added.

MORE ABOUT: