Email this Article Email   

CHIPS Articles: NSA Cybersecurity Advisory: Exim Mail Transfer Agent Actively Exploited by Russian GRU Cyber Actors

NSA Cybersecurity Advisory: Exim Mail Transfer Agent Actively Exploited by Russian GRU Cyber Actors
By NSA Cybersecurity Advisory - May 29, 2020
FORT MEADE, Md. , May 28, 2020 — Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August. Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well. The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code of their choosing.

The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.

When the patch was released last year, Exim urged its users to update to the latest version. NSA adds its encouragement to immediately patch to mitigate against this still current threat.

For more information on this vulnerability and associated mitigations, review our Cybersecurity Advisory "Sandworm Actors Exploiting Vulverability in Exim Mail Transfer Agent. To receive notice of future cybersecurity product releases and technical guidance, follow our new Twitter handle @NSAcyber.

To read more, check out NSA's Cybersecurity Advisories & Technical Guidance at nsa.gov/cybersecurity/

NSA Cybersecurity Advisory logo
Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer