US agency NSA issued a warning on Thursday that a Russian hacker group known as Sandworm is exploiting vulnerable email servers with a vulnerability in Exim.
Exim is mail transfer agent common on Unix-based operating systems, such as Linux. The vulnerability allows an attacker to gain the ability to run code on the server remotely by sending a malicious email to the server.
An advisory says that the Russian hacker group known as Sandworm, a unit of the GRU military intelligence agency, has been actively exploiting a known vulnerability in Exim,—an alternative to bigger players like Exchange and Sendmail—running on email servers around the world.Doug Cress, chief of the cybersecurity collaboration centre and directorate at NSA explains, “Being able to gain root access to a bridge point into a network gives you so much ability and capability to read email, to navigate across and maneuver through the network,”
.To exploit the target network, Sandworm has used the vulnerability to give its hackers more remote access, adding its own privileged users to the server, disabling network security settings, updating secure shell configurations and running a script on the server.
Sandworm has been previously linked to cyberattacks against Ukrainian electric production facilities in 2015 and 2016 and the NotPetya worm that inflicted a $10 billion in damage globally in 2017.
It is not clear which business sectors are the targets, how many organisations were targeted or if there was a specific geographic region that was targeted.
The vulnerability was patched last year, it is recommended to patch the Exim software immediately, check traffic logs for signs of exploitation to close the security gap if any.