The NSA warns: the Russians have fallen for us!

The US National Security Agency (NSA) today issued a warning about a new wave of cyber attacks against e-mail servers. The attacks were carried out by one of Russia's most advanced spy units.

The NSA says members of Unit 74455 of the GRU Main Center for Special Technologies, part of Russia's military intelligence service, have attacked email servers running Exim mail transfer agent (MTA).

The team also known as “Sandworm”, Attacks Exim servers since August 2019 taking advantage of a critical vulnerability (CVE-2019-10149), the NSA states in a security alert [PDF] announced today.

"When the Sandworm exploits CVE-2019-10149, the victim system downloads and runs a shell script from a controlled domain by Sandworm", Reports the NSA.

This shell script I will:

• Add privileged users
• Disable network security settings
• Update SSH settings to allow remote access
• Run an additional script to allow further exploits

The NSA is now warning private and government agencies to inform them Exim servers in version 4.93 and look for signs of violation. Violations are listed in the PDF issued by the NSA.

The team Sandworm has been active since the mid-2000s and is believed to be the hacker team that developed the BlackEnergy malware that caused a blackout in Ukraine in December 2015. In December 2016 the team also developed the famous ransomware NotPetya which caused billions of dollars in losses to companies around the world.

The vulnerability CVE-2019-10149 was unveiled in June 2019 and has the code name "Return of the WIZard".

Within a week of its revelation, various hacking groups began using it. Two weeks later, Microsoft also issued a warning at the time, warning Azure customers.

Almost half of the internet email servers run on Exim. According to statistics from May 1, 2020, only half of them Exim servers have been updated to version 4.93 or later, leaving a large number of systems vulnerable to attack.