Russian Sandworm Hacking Group Exploits Exim Mail Servers

A Russian hacking group named Sandworm (Fancy Bear) is taking advantage of an Exim Mail Transfer Agent vulnerability, which is typically employed for Unix-based systems. The vulnerability, monitored as CVE-2019-10149, is a remote code execution vulnerability which was found in Exim version 4.87.

An update to resolve the vulnerability was made available on June 5, 2019, nevertheless numerous businesses still didn’t update Exim and stayed vulnerable to hackers.

The vulnerability could be taken advantage of by transmitting a uniquely made email which permits the completion of commands having root privileges. Subsequent to the flaw exploitation, an attacker could install software programs, execute code they pick, alter data, make new accounts, and possibly get access to saved information.

As per the latest National Security Agency (NSA) notification, Sandworm hackers exploit the vulnerability by means of adding a malicious code in an SMTP message’s MAIL FROM field. Attackers can exploit businesses by using insecure Exim versions which possess internet-facing mail transfer agents.

Following the vulnerability exploitation, the attackers obtain a shell script from a networked server and utilize it to create privileged users, change SSH settings to enable remote access, turn off network defense settings, and implement another script to enable further exploitation. This would likely permit the attackers to acquire total control of the email server. When that occurs, all inbound and outbound e-mail messages can be intercepted and exfiltrated.

Sandworm is one of Russia’s General Staff Main Intelligence Directorate, also identified as GRU. The hackers have formerly performed attacks on European and the United States nations. The group has carried out a few cyberattacks on foreign government authorities that are alleged to have affected Russia’s 2016 presidential election.

The NSA has advised mitigations to avert flaw exploitation. The most important advice is updating Exim to version 4.93 or a new release without delay. The update will resolve the CVE-2019-10149 vulnerability along with other vulnerabilities which hackers may likely exploit. After upgrading, administrators must be certain that software updates are checked on a regular basis and updated the instant new versions are available. Exim Mail Transfer Agent software could be updated using the Linux distribution’s package manager or straight from Exim.

When it isn’t possible to update quickly, it might be likely to spot and deter exploit efforts. For example, “Snort 3 rule 1-50356 warns about exploit attempts automatically for enlisted Snort Intrusion Detection System (IDS) users. Administrators need to also consistently confirm that there are no suspicious system changes for example added accounts and SSH keys. Alterations would point out a breach.

The NSA proposes reducing user access privileges whenever setting up public-facing mail transfer agents and system segmentation ought to be employed to differentiate functions and prerequisites. It is crucial to keep public mail transfer agents distinguished from sensitive internal resources in a DMZ enclave, and firewall rules must be set to stop unexpected traffic from being able to access trusted internal resources. It is additionally necessary to only allow mail transfer agents to transmit outgoing traffic to essential ports. All other ports need to be stopped up.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at