NSA warns Russian Sandworm hackers have infiltrated email MTA Exim

By Chris Burns/May 29, 2020 1:30 pm EST

This week the NSA warned the public that Russian military cyber actors have been exploiting a version of email software for several months at least. The exploited system is MTA software for Unix-based systems, Exim mail – software that's installed with a number of Linux distributions by default. While the original patch for this vulnerability was released last year, many computers still run Exim without said patch.

The vulnerability is code-named CVE-2019-10149 – so you'll know what you're facing when you look it up if you've not already patched before you get infiltrated. The vulnerability allows a remote attacker with knowledge of the exploit to execute commands and code of their choosing.

The Russian group recently discovered to be on the attack with this exploit was Sandworm, according to the NSA release. They've suggested that these Russian cyber actors were from the GRU Main Center for Special Technologies (GTsST) field post 74455. "The cyber actors responsible for this malicious cyber program," said an NSA release, "are known publicly as Sandworm team."

Per an official NSA release on the exploit, "The Russian actors, part of the General Staff Main Intelligence Directorate's (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker's dream access – as long as that network is using an unpatched version of Exim MTA."

The patch for this exploit was issued months ago, with a warning from Exim developers. Now the NSA's making certain they've warned the public as well. Per the NSA, "NSA adds its encouragement to immediately patch to mitigate against this still current threat."

With the release of this information, the NSA suggested that "further cybersecutiry product releases and technical guidance" will be shared in the future from their new Twitter handle. They'll be at @NSAcyber on Twitter, while their official page remains at nsa.gov/cybersecurity/ right this minute.