NSA: Russia Hacking U.S. Firms, via Old Exim Flaw

The Russian state is breaking into companies, exploiting a vulnerability in an open source email server, according to the National Security Agency. The Exim MTA doesn’t properly sanitize its inputs, allowing hackers codenamed “Sandworm” to run shell scripts as root.

Remember CVE-2019-10149? It was patched almost a year ago. Yet more than half of internet-connected Exim MTAs are running old versions.

Not sure which is worse, state-sponsored hacking or the lack of patching. In today’s SB Blogwatch, we wish no plagues on any houses.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Don Lee.

GRU GTsST vs. the World

What’s the craic? Christopher Bing reports—“NSA warns of ongoing Russian hacking campaign”:

 The [NSA] warned government partners and private companies about a Russian hacking operation. [It] declined to discuss which business sectors had been most affected, how many organizations were compromised using the Russian technique, or whether the cyber espionage operation targeted a specific geographic region.

The NSA said the hacking activity was tied directly to a specific unit within Russia’s … GRU, named the Main Center for Special Technologies. The cybersecurity research community refers to this same hacking group as “Sandworm,” and has previously connected it to disruptive cyberattacks against Ukrainian electric production facilities. … Mike Pompeo also called out the same GRU unit in February.

And Dan Goodin adds in—“Sandworm group uses emails to send root commands to buggy Exim servers”:

 The critical bug makes it possible for an unauthenticated remote attacker to send specially crafted emails that execute commands with root privileges. With that, the attacker can install programs of their choosing, modify data, and create new accounts.

There is general agreement among security researchers that the hacking group working on behalf of [the Sandworm] unit has been responsible for some of the most ambitious and destructive cyberattacks in recent years. Examples include: Hacks in 2015 and 2016 that triggered power outages in Ukraine; the unleashing of NotPetya; a malware attack in early 2018 that shut down key parts of the Winter Olympics.

The Exim mail-server bug … CVE-2019-10149 … came to light last June, at the same time that developers published a security patch. … The attacks have been active since at least August. … People responsible for Exim servers should check that they’re running version [4.93] or higher.

No Such Agency? Shadowy pseudonymous scribblers scurry, saying—“Sandworm actors exploiting vulnerability in Exim”: [You’re fired—Ed.]

 Russian cyber actors from the GRU Main Center for Special Technologies (GTsST), field post number 74455, have been exploiting a vulnerability in Exim Mail Transfer Agent (MTA) software since at least August 2019. … The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” [command] of an SMTP [transaction].

When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script. … The following IP addresses and domains were associated with these attacks: …;; hostapp.be.

At which ClueHammer scoffs:

 NSA is trying to incite more anti Russian fears … to increase their budget.

But trucmat thinks there’s another reason:

 Russia sure seems to think the USA is their enemy. ’Bout time our federal government got on the same page and branded Russia an outlaw nation.

As for the victims, kot-begemot-uk gives them an F (again):

 Anybody who has not fixed a year old vulnerability in an MTA which has been fixed on the day by every single distro shipping it, does not belong anywhere near the security industry. [This story] has totally **** all to do with security.

And Dilbert furiously facepalms:

 Oh good lord. … Either do on-prem correctly by allocating adequate resources and hiring competent full time staff, or be done with it and migrate to [SaaS].

Half assed IT is a huge liability.

How many? Sergiu Gatlan has a quick count and finds it’s more than half:

 Even though the Exim flaw is known to have been exploited in the wild since at least June 9, 2019 there still are millions of unpatched servers vulnerable to attacks. According to a quick Shodan search, vulnerable versions of Exim are currently running on about 2,481,000 Internet-exposed servers, with more than 2,467,000 servers running the patched Exim 4.93 release.

Meanwhile, protected by minions, it’s Tfargo04:

 Of course GRU was behind this. He’s despicable.

And Finally:

The first U.S. TV network

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image sauce: Alexander Semenov (cc:by)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 400 posts and counting.See all posts by richi