Exim Vulnerability: GRU Widely Exploited Critical 2019 Bug, Warns NSA

“A new wave of Sandworm attacks is deeply concerning.”

The US’s National Security Agency (NSA) says Russian military intelligence is widely abusing a critical 2019 vulnerability within the Exim mail transfer software

The NSA said the GRU’s Main Center for Special Technologies (GTsST) are using the bug to “add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access.”

The hackers are popularly known as “Sandworm”.

Exim is a mail transfer agent used widely in Unix-based systems and  comes pre-installed in many Linux deployments. A critical vulnerability (CVE-2019-10149) exists in all versions of Exim’s MTA from version 4.87 to 4.91; it was first reported by Qualys.

While this has been patched upstream since June 2019, the perennial problem of poor cyber hygiene and irregular patching means many are still exposed. (Check your Linux OS vendor for updated packages and patch if you haven’t. Yes, really, do it…)

A NCSC spokesperson commented that: “We have notified UK providers affected by this activity and have recommended they protect users by patching the vulnerability. The UK and its allies will continue to expose those who conduct hostile and destabilising cyber attacks.”

The detected attacks on networks weakened by this vulnerability have been attributed to Russian military cyber actors known as the ‘Sandworm Team’. The NSA says the attacks have been widespread since August.

Yana Blachman, threat intelligence specialist at Venafi told Computer Business Review that: “A new wave of Sandworm attacks is deeply concerning. Highly sophisticated APT groups can use SSH capabilities to maintain undetected remote access to critical systems and data, allowing attackers to do nearly anything from circumventing security controls, injecting fraudulent data, subverting encryption software and installing further payload.

“There has been a rise in both malware and APT campaigns that leverage SSH, but unfortunately, organisations routinely overlook the importance of protecting this powerful asset.”

Exim Bug CVE-2019-10149

The vulnerability is of the most critical nature as it has received a 9.8 score on the National Vulnerability Database (NVD). The issue at heart is an improper validation of a recipient’s address within the message delivery function, a flaw that allows hackers to execute remote commands.

When the CVE was first brought to their attention last year Exim stated in a security advisory that: “A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87. The severity depends on your configuration.  It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better.”

If you are running a version of Exim 4.92 or higher you should be safe from the exploit, but all prior versions of the software need an immediate fix. The simplest fix for vulnerability is to update the Exim mail server to the current version of Exim which is 4.93.

Wai Man Yau, VP at open source software security specialist Sonatype noted: “The incident once again brings software hygiene to the fore, and underscores the urgent need for businesses to maintain a software ‘bill of materials’ to manage, track and monitor components in their applications, and to identify, isolate, and remove vulnerabilities like this one. Without one, they’re in a race against time to try and find the flaw before their adversaries do.”