FORT MEADE, Md. , May 28, 2020 — Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August. Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well. The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code of their choosing.
The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.
When the patch was released last year, Exim urged its users to update to the latest version. NSA adds its encouragement to immediately patch to mitigate against this still current threat.
For more information on this vulnerability and associated mitigations, review our Cybersecurity Advisory "Sandworm Actors Exploiting Vulverability in Exim Mail Transfer Agent. To receive notice of future cybersecurity product releases and technical guidance, follow our new Twitter handle @NSAcyber.
To read more, check out NSA's Cybersecurity Advisories & Technical Guidance at nsa.gov/cybersecurity/