The US National Security Agency (NSA) today issued a warning about a new wave of cyber attacks against e-mail servers. The attacks were carried out by one of Russia's most advanced spy units.
The NSA reports that members of Unit 74455 of the GRU Main Center for Special Technologies, a division of Russia's military intelligence service, attacked email servers running Exim mail transfer agent (MTA).
Η ομάδα που είναι επίσης γνωστή και σαν "Sandworm", επιτίθεται σε Exim servers από τον Αύγουστο του 2019 εκμεταλλευόμενη μια κρίσιμη vulnerability (CVE-2019-10149), the NSA says in a security alert [PDF] announced today.
"Όταν η Sandworm κάνει exploit στο CVE-2019-10149, το σύστημα του θύματος κατεβάζει και τρέχει ένα shell script από έναν ελεγχόμενο domain από την Sandworm", αναφέρει η NSA.
This shell script I will:
- Add privileged users
- Disable network security settings
- Update SSH settings to allow remote access
- He runs an epiadditional script to allow further exploits
The NSA is now warning private and government organizations to update Exim servers to version 4.93 and look for signs infringements. Breach indicators are in the PDF released by the NSA.
The Sandworm team has been active since the mid-2000s and is believed to be the hacker team that developed the BlackEnergy malware that caused a blackout in Ukraine in December 2015. In December 2016, the team also developed the famous ransomware NotPetya which caused billions of dollars in losses to companies around the world.
Vulnerability CVE-2019-10149 αποκαλύφθηκε τον Ιούνιο του 2019 και έχει σαν κωδική ονομασία το "Return of the WIZard".
Within a week of its unveiling, various groups hacking they started using it. After two weeks, Microsoft had also issued an alert at that time, warning customers of the Azure service.
Almost half of all Internet email servers run on Exim. According to statistics as of May 1, 2020, only half of these Exim servers have been updated to version 4.93 or later, leaving a large number of systems vulnerable to attack.