NSA attentive to new Sandworm attack on mail servers

NSA

The US National Security Agency (NSA) has published today

The NSA issued a security alert this Friday to warn of a new wave of cyber attacks against mail servers, attacks carried out by one of Russia’s most advanced cyber-espionage units. The NSA reports that members of Unit 74455 of the GRU Main Center for Special Technologies (Gtsst), a division of the Russian military intelligence service, attacked e-mail servers using the Exim Mail Transfer Agent (MTA).

Also known as "Sandworm", this group has been hacking Exim servers since August 2019 exploiting a critical vulnerability identified as CVE-2019-10149, the NSA said in a security alert shared today with Zdnet. "When Sandworm ran CVE-2019-10149, the victim machine downloaded and then executed a shell script from a domain controlled by Sandworm," the NSA said.

This shell script would allow in particular:

• add privileged users;
• disable network security settings;
• update SSH configurations to allow additional remote access;
• to run an additional script to allow further exploitation.

The NSA is now warning private and government organizations to update their Exim servers to version 4.93 and look for signs of compromise. The trade-off indicators are available in the NSA PDF, which is linked above.

Nine Months to Attack

The Sandworm group has been active since the mid-2000s. This is certainly the group of hackers behind the malware Blackenergy, which caused a massive power outage in Ukraine in December 2015 and December 2016. It is also the group that hides behind the infamous ransom software Notpetya that has caused billions of US dollars in damages to companies around the world.

With the Turla group, Sandworm is currently considered one of the two most advanced computer hacking groups sponsored by the Russian state. The CVE-2019-10149 vulnerability was revealed in June 2019, and received the code name "Return of the Wizard".

Within a week of its release, hacker groups began to abuse it. Two weeks later, Microsoft also issued an alert at the time, warning Azure’s customers that a threat actor had developed a self-spreading Exim worm that exploited this vulnerability to seize servers running on Azure’s infrastructure.

SMTP, Prime Target

Nearly half of Internet email servers work with Exim. According to May 1, 2020 statistics, only half of the Exim servers were updated to version 4.93, or later, leaving a large number of Exim instances vulnerable to attack.

"Many organizations are fixating on Cloud or mobile. They quickly forget that really old services like SMTP represent a large part of their personal and professional lives, and that, by definition, these services are exposed to the Internet", explains Richard Bejtlich, senior security strategist.

"They are perfect targets for adversaries facing the Internet, they process the most sensitive data and people treat them like devices, which means they are often forgotten as long as they continue to work, and are not monitored".

Name and Shame

But today’s NSA Security Advisory has two other goals as well as encouraging Exim administrators to fix their servers. It is also intended to burn a lot of Sandworm’s offensive infrastructure. Following today’s alert, Sandworm operators are at risk of losing access to many servers they have hacked in the past nine months, as server administrators are deploying patches and removing Sandworm’s back doors.

Second, the notice again draws the world’s attention to Russia’s cyber-espionage operations. Many of these Russian operations have often exceeded the limits of what is acceptable in the field of modern cyber-espionage by often causing damage in the real world (e.g., Notpetya, Badrabbit, Blackenergy, Ddos attacks in Georgia, DNC hacking, etc.)

The United States and the other member countries of the Five Eyes organization, which brings together the intelligence services of Washington’s Anglo-Saxon allies, have made the denunciation and denunciation of Russian cyber-attacks a political issue. At least since the end of 2018. They have since continued by extending this policy to Chinese, Iranian and North Korean operations as well.