The US National Security Agency (NSA) has issued a cyber security advisory warning American organisations of a Russian hacking campaign exploiting a bug in commonly used email software to target private firms and organisations.
According to the NSA, the hacking group behind these attacks is associated with GRU, a unit within Russia's Main Intelligence Directorate. This group is referred to as "Sandworm" in cyber security community and is linked with power-grid attacks in Ukraine.
The NSA says these hackers have been leveraging a serious security flaw, indexed as CVE-2019-10149, in Exim mail transfer agent (MTA) since at least August 2019.
Exim is commonly found on Unix-based operating systems. It comes pre-installed on some Linux distributions such as Debia.
While a patch for CVE-2019-10149 has already been released, many users have not yet updated their systems to patch the security gap in their systems.
A quick Shodan search reveals that vulnerable Exim versions are currently running on about 2,481,000 Internet-exposed servers, with over 2,467,000 servers running the patched Exim 4.93 version.
To exploit the bug, hackers just need to send a specially crafted email, which enables them to run arbitrary commands with root privileges on vulnerable mail servers.
After CVE-2019-10149 is successfully exploited, the victim's machine subsequently downloads a shell script from a Sandworm-controlled domain. The script then attempts to disable network security settings, add privileged users, change SSH configurations, and download more scripts to enable follow-on exploitation.
"Being able to gain root access to a bridge point into a network gives you so much ability and capability to read email, to navigate across and manoeuvre through the network," the NSA explains.
To mitigate the risk, the NSA recommends that system admins should patch their Exim servers by installing version 4.93 or newer. They should also check software versions regularly and update them as new versions become available.
The NSA has also released Indicators of Compromise (IoC) and instructions on how admins can detect exploit attempts and unauthorised changes in their systems.
Last year, Google's Threat Analysis Group (TAG) disclosed that it had sent more than 12,000 warnings in just three months to alert users about email attacks traced to Sandworm group.
TAG researchers said they had also noticed Sandworm targeting legitimate app developers in Ukraine through spear phishing emails. In one such case, the attackers were able to compromise a developer with a large number of published apps on Play Store.
PipeMon is a modular backdoor that mimics print processing software
Hackers modify attack routine in attempt to deploy Ragnarok ransomware on networks protected by Sophos firewall
An SQL injection zero-day in the Sophos firewall was exploited to infiltrate corporate networks
Thought to have gained access access through compromised SSH credentials
The company says its email server and internal IT systems were affected in the incident
Maze ransomware group published several screenshots on their website, showing directory listings from the company's systems