The NSA warns: the Russians have fallen for us!

The US National Security Agency (NSA) today published a pre for a new wave of cyber attacks against email servers. The attacks were carried out by one of Russia's most advanced spy units.

Η NSA αναφέρει ότι μέλη της Unit 74455 του GRU Main Center for Technologies, ένα τμήμα της στρατιωτικής of Russian intelligence, attacked email servers running Exim mail transfer agent (MTA).

The group also known as "Sandworm", attacks Exim από τον Αύγουστο του 2019 εκμεταλλευόμενη μια κρίσιμη ευπάθεια (CVE-2019-10149), αναφέρει η NSA σε μια ειδοποίηση ασφαλείας [PDF] announced today.

“When Sandworm does in CVE-2019-10149, the victim's system downloads and runs a shell script from a Sandworm-controlled domain," the NSA said.

This shell script I will:

  • Add privileged users
  • Disable network security settings
  • Update SSH settings to allow remote access
  • Run an additional script to allow further exploits

The NSA now warns private and government agencies to update Exim servers to version 4.93 and look for signs of breach. Violations are listed in the PDF issued by the NSA.

The group Sandworm has been active since the mid-2000s and is believed to be the group who developed it which caused a blackout in Ukraine in December 2015. In December 2016 and the team developed the famous ransomware NotPetya which caused billions of dollars in losses to companies around the world.

Vulnerability CVE-2019-10149 was unveiled in June 2019 and has the code name "Return of the WIZard".

Within a week of its revelation, various hacking groups began using it. Two weeks later, Microsoft also issued a warning at the time, warning Azure customers.

Almost half of all Internet email servers run on Exim. According to statistics as of May 1, 2020, only half of these Exim servers have been updated to version 4.93 or later, leaving a large number of systems vulnerable to attack. The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).