Russian Hackers are Hacking Major Email Servers – NSA says
The National Security Agency has said that the Hackers of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, has been hacking Major Email Servers using the EXIM Mail Transfer Agent.
The Group is known as Sandworm, has been exploiting the vulnerability CVE-2019-10149, which involves EXIM servers that would cause the victim’s computer to download and execute a shell script from a Sandworm-controlled domain. The Shell Script would Add privileged users, Disable network security settings, Update SSH configurations to enable additional remote access, and Execute an additional script to enable follow-on exploitation.
EXIM servers usually run a UNIX based operating system and are used widely by many companies and governments that its alternative, which is the Microsoft proprietary Exchange is not known much.
The Sandworm group has been infamous since the last decade with famous exploits as the BlackEnergy Malware that infected the Nuclear servers in Ukraine in December 2015 and December 2016. The group has also been involved in 2016 US Presidential Elections which attacked the Democratic National Committee emails and breaking into voter registration databases.
The CVE-2019-10149 vulnerability was disclosed in June 2019 with many malicious actors abusing it as soon as it was made public. Microsoft also issued an alert after two weeks at the time, warning Azure customers that a threat actor had created a self-spreading Exim worm that exploited this vulnerability to take over servers running on Azure infrastructure.
Nearly half of the servers that handle SMTP, which are email servers are vulnerable to this exploit with stats showing half of all Exim servers have been updated to version 4.93, or later, leaving a large number of Exim instances exposed to attacks.