According to NSA’s report, the new wave of attacks is conducted by Russia’s cyber-espionage units. According to the report, Russian cyber actors from the GRU Main Center for Special Technologies have been exploiting a vulnerability in Exim Mail Transfer Agent (MTA) software. On 5 June 2019, an update for a critical vulnerability (CVE-2019-10149) in Exim was released.
Downloads and executes shell scripts
The vulnerability in Exim version 4.87 allows remote code execution vulnerability. An attacker can send a specially crafted email to execute commands with root privileges allowing the attacker to install programs, modify data, and create new accounts. When the vulnerability is exploited, the attacker can download and execute a shell script from a Sandworm-controlled domain. The script is able to:
- Add privileged users
- Disable network security settings
- Update SSHconfigurations to enable additional remote access
- Execute an additional script to enable follow-on exploitation
According to the NSA’s report, the following IP addresses and domains were associated with these attacks from the Sandworm actor:
NSA also urged users to immediately update Exim by installing version 4.93 or newer to mitigate this and other vulnerabilities.