Russian hacking group “Sandworm” attacking Exim Email servers, warns NSA

Sandworm Attacks On Exim Email Servers ; NSA Warns

National Security Agency (NSA) has recently released an advisory in which they have warned about a Russian cyber-espionage group. They mentioned in the advisory that the Sandworm Team had been actively exploiting a known vulnerability in Exim CVE-2019-10149.

Exim is a popular, globally used mail transfer agent. This is not the first time Russian hackers have tried to exploit vulnerabilities in the system.

According to the report, the group has been abusing Exim mail servers that are not protected. They are planting backdoor on such servers since August 2019. The hacked servers provide the base for initial infection on targeted systems. Then the hackers move on to other parts of the victim’s network.

A shell script gets executed on the infected system via a hacker’s controlled domain, which is capable to execute various functions:

  • Add privileged users,
  • Update SSH configurations to allow remote access,
  • Disable security settings on the network and
  • Execute additional scripts to enable follow-on exploitation.

The NSA said that both government and private organizations are under threat and they should immediately update their Exim servers to version 4.93.

Long history of Sandworm

Sandworm is active since the mid-2000s and conducted various attack campaigns:

  • They are behind the BlackEnergy malware that caused power blackouts in Ukrain in December 2015 and December 2016.
  • Experts believe that this group also developed NotPetya ransomware that has caused victims billions of US dollars across the world.
  • Back in June 2019, CVE-2019-10149 vulnerability was discovered by the researchers and they called it the “Return of the WIZard.” After two weeks of its discovery, Microsoft warned Azure customers that an Exim self-spreading worm is capable of exploiting this vulnerability and can gain control over the servers that are functioning on infrastructure provided by Azure.

Sandworm Attack On Exim Mail Servers Made Systems vulnerable

In a recent survey, it was found that only half of all Exim servers are using 4.93 or later version. That means a large number of Exim servers are still at risk. Many server administrators patched the servers and removed backdoor threat after NSA issued the alert.

Eventually, this will stop the Sandworm hackers from taking control of many Exim servers in the future.

Finally, the advisory draw attention towards the cyber-espionage activities of Russia. In late 2018, the Five Eyes countries started to release information about the cyber-attacks executed by Russia. They have also highlighted the malicious activities of Iran, China and North Korea.

What should you do To avoid Sandworm Attacks On Exim Email Servers?

If you are running an Exim mail server, make sure you update it to version 4.93 or later.

  • Check your server for any backdoor threats. Once your server is clean, make sure all the security protocols are in place.
  • If your server or computer is infected, make sure to change all the passwords associated with email IDs, etc. If you are an organization, inform the employees about it and immediately change the passwords.
  • Activate multi-factor-authentication wherever possible.
  • Keep an eye on the server logs and if you notice any unauthorized activity, inform the administrators or tech team immediately. So that they can secure the servers.

Protect your computer with HitmanPro Now

Although, it is very important to enable 2FA on your accounts, and use strong passwords. But to keep the passwords secure you should use a reputable Password Manager tool like Dashlane(Review).

Dashlane Password Manager tool

Dashlane Password Manager tool

To secure Your Digital Wallets download DashLane Password Manager Now.

More From Unboxhow