Russia-linked threat actors have exploited several vulnerabilities in the Exim mail transfer agent (MTA) in their campaigns.
Last week, the U.S. National Security Agency (NSA) warned that Russia-linked APT group tracked Sandworm Team has been exploiting a critical vulnerability (CVE-2019-10149) in the Exim mail transfer agent (MTA).
According to the NSA, hackers belonging to the Unit 74455, under the Russian GRU Main Center for Special Technologies (GTsST), are exploiting the CVE-2019-10149 issue after an update was issued in June 2019.
The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message.” states the advisory.
Russian state-sponsored hackers leverage the vulnerability to download a shell script from a domain under their control and use it to “add privileged users, disable network security settings, update SSH configurations to enable additional remote access, execute an additional script to enable follow-on exploitation.”
NSA recommends patching Exim servers immediately by installing version 4.93 or newer.
Now security firm RiskIQ revealed that threat actors had exploited two other Exim vulnerabilities in the same campaign. The two issues are:
In May, RiskIQ experts identified more than 900,000 vulnerable Exim servers. Most of the servers were running version 4.92, this means that they were patched against the CVE-2019-10149 issue, while they were still impacted by the other two vulnerabilities.
Experts noticed that many servers were updated in May, but there are still hundreds of thousands of vulnerable servers.
“The vulnerabilities leveraged impact Exim Internet Mailer version 4.87 – 4.92. Searching RiskIQ’s internet intelligence database, from May 1, 2020, RiskIQ has observed over 900K vulnerable Exim instances.” reads the analysis published by RiskIQ.
(SecurityAffairs – hacking, cybersecurity)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.