Sandworm actors exploiting Exim MTA vulnerability

Sandworm actors target Exim MTA vulnerability

The National Security Agency (NSA) issued a new warning of Russian cyber actors exploiting an Exim Mail Transfer Agent (MTA) vulnerability CVE-2019-10149. The cyber attacks have been ongoing since last August.

Exim is a popular mail transfer agent (MTA) used on mostly Unix-like operating systems.

The NSA attributed the Exim attacks and malicious cyber program to Russian actors, also publicly known as the Sandworm team.

“Russian cyber actors from the GRU Main Center for Special Technologies (GTsST), field post number 74455, have been exploiting a vulnerability in Exim Mail Transfer Agent (MTA) software since at least August 2019,” the NSA warned in a recent advisory.

“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the ‘MAIL FROM’ field of an SMTP (Simple Mail Transfer Protocol) message,” the NSA added.

Exim patched the Exim MTA vulnerability CVE-2019-10149 on June 5, 2019. Shortly afterwards, multiple security firms issued new warnings of active attacks against unpatched Exim systems.

At that time, it was reported that a local attacker could exploit the MTA vulnerability and execute arbitrary commands with execv(), as root. In addition, attackers could exploit the flaw remotely in certain “non-default configurations.”

Furthermore, researchers from Tenable also warned last June that nearly 4.1 million servers were vulnerable to local or remote exploits. In other words, nearly 90% of total Exim installations at that time.

Later in September 2019, researchers discovered two additional Exim vulnerabilities CVE-2019-15846 and CVE-2019-16928. Hackers could exploit these issues to execute remote code and compromise Exim systems.

Mitigations

Organizations should apply the necessary updates, Exim version 4.93 or newer, to address the vulnerability as soon as possible.

In addition, teams should update network appliances and monitoring to detect and/or block CVE-2019-10149 exploit attempts.

Finally, “defense-in-depth” principles should be applied. Examples include isolation of DMZ networks/systems from internal networks, least privilege access controls, and DMZ firewall rules needed to block malicious traffic from reaching trusted internal networks.

Related Articles