Monday, October 14, 2024
HomeCVE/vulnerabilityRussian APT Hackers Exploiting Exim Vulnerability Since 2019 - NSA Warns

Russian APT Hackers Exploiting Exim Vulnerability Since 2019 – NSA Warns

Published on

Malware protection

NSA warns that Russian hackers exploiting the Exim vulnerability (CVE-2019-10149) since at least last August. The APT hacker group linked with the attack is Sandworm Team.

Sandworm Team is known to be active since 2009, and the group mainly targets Ukrainian entities associated with energy, industrial control systems, SCADA, government, and media.

Hackers Exploiting Exim Vulnerability

Exim is a popular mail transfer agent (MTA) that comes pre-installed with some Linux distributions such as Debian. Last June, Exim patched critical remote code execution vulnerability that affects versions between Exim 4.87 to 4.91. The vulnerability was fixed with Exim 4.92.

- Advertisement - SIEM as a Service

The vulnerability can be exploited by an unauthenticated remote attacker by sending a specially crafted email to execute commands with root privileges.

NSA observed that threat Russian APT hackers exploiting Exim vulnerability on public-facing MTA by sending a crafted mail in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message.

If the vulnerability was exploited successfully then attackers able to install programs, modify data, and create new accounts.

“When Sandwormexploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain.”

Following are the script that attackers can execute;

  • add privileged users
  • disable network security settings
  • update SSH configurations to enable additional remote access
  • execute an additional script to enable follow-on exploitation

Using a previous version of Exim leaves the system vulnerable. System administrators are recommended to update with the latest version to mitigate the attacks.

Indicators of Compromise (IOC)

95.216.13(.)196
103.94.157(.)5
hostapp(.)be

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

pac4j Java Framework Vulnerable to RCE Attacks

A critical security vulnerability has been discovered in the popular Java framework pac4j. The...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...