The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattack against email servers, attacks conducted by one of Russia’s most advanced cyber-espionage units. The members of UNIT 74455 of the GRU Main Center for Special Technologies (GTsSt) have been attacking email servers running the Exim mail transfer agent which is also known as “Sandworm”. The members are from the division of the Russian military intelligence service. They have been exploiting a critical vulnerability since August 2019 and tracked as CVE-2019-10149.
The NSA also added that when Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain. The shell script would:
All private and government organizations are encouraged to update their Exim servers to version 4.93 and look if they have any signs of compromise. According to stats from May 1, 2020, only a half of all Exim servers have been updated to version 4.93, or later. The older version leaves a large number of Exim instances exposed to attacks.