Russian Sandworm Group Targeting Exim Mail Servers, Warns NSA
A Russian hacking outfit called Sandworm (Fancy Bear) is exploiting a vulnerability in the Exim Mail Transfer Agent, which is commonly used for Unix-based systems. The flaw, tracked as CVE-2019-10149, is a remote code execution vulnerability that was introduced in Exim version 4.87.
An update was released on June 5, 2019 to correct the flaw, but many organizations have still not updated Exim and remain vulnerable to attack.
The vulnerability can be exploited by sending a specially crafted email which allows commands to be executed with root privileges. After exploiting the flaw, an attacker can install programs, execute code of their choosing, modify data, create new accounts, and potentially gain access to stored messages.
According to a recent National Security Agency (NSA) alert, Sandworm hackers have been exploiting the flaw by incorporating a malicious command in the MAIL FROM field of an SMTP message. Attacks have been performed on organizations using vulnerable Exim versions that have internet-facing mail transfer agents.
After exploiting the vulnerability, a shell script is downloaded from a remote server under the control of the hackers which is used to add privileged users, update SSH configurations to allow remote access, disable network security settings, and execute an additional script to allow further exploitation. This would potentially allow the hackers to gain full control of the email server. Were that to happen, all incoming and outgoing email could be intercepted and exfiltrated.
Sandworm is part of Russia’s General Staff Main Intelligence Directorate, otherwise known as GRU. The hackers have previously conducted attacks on countries in Europe and the United States. The group has conducted several cyberattacks on foreign governments is believed to have been involved in Russia’s efforts to influence the outcome of the 2016 presidential election.
The NSA has suggested mitigations to prevent exploitation of the flaw, the most important of which is updating Exim immediately to version 4.93 or a later release. The update will correct the CVE-2019-10149 vulnerability and other vulnerabilities that could potentially be exploited. After updating, administrators should make sure that software versions are regularly checked and updated as soon as new versions are released. Exim Mail Transfer Agent software can be updated through the Linux distribution’s package manager or directly from Exim.
If it is not possible to update immediately, it may be possible to detect and block exploit attempts. For instance, “Snort 3 rule 1-50356 alerts on exploit attempts by default for registered users of a Snort Intrusion Detection System (IDS).” Administrators should also routinely verify there have been no unauthorized system modifications such as additional accounts and SSH keys. Modifications would indicate a compromise.
The NSA recommends limiting user access privileges when installing public-facing mail transfer agents and network segmentation should be used to separate roles and requirements. It is important to keep public mail transfer agents separate from sensitive internal resources in a DMZ enclave, and firewall rules should be set to block unexpected traffic from reaching trusted internal resources. It is also important to only permit mail transfer agents to send outbound traffic to necessary ports. All other ports should be blocked.
“If an MTA DMZ was configured in a least access model, for example to deny by default MTA initiated outbound traffic destined for port 80/443 on the Internet while only permitting traffic initiated from an MTA to necessary hosts on port 80/443, the actors’ method of using CVE-2019-10149 would have been mitigated,” explained the NSA in their alert.