A patch for the vulnerability the hackers are targeting has existed for almost a year.
Russian military personnel collectively known as “Sandworm” are responsible for continued incursions into email server software that give unauthenticated users privileged access that would allow them to install programs, modify data and create new accounts, according to the National Security Agency.
A security update the NSA issued with the attribution Thursday highlights the danger of failing to regularly patch systems and stresses the importance of using the most up to date software available.
“Cyber actors from the [General Staff of the Armed Forces of the Russian Federation] Main Center for Special Technologies, field post number 74455, have been exploiting a vulnerability in Exim mail transfer agent software since at least August 2019,” the NSA update reads. “The cyber actors responsible for this malicious cyber program are known publicly as Sandworm team.”
The software, called Exim, is used by more than half of all email servers, according to research from SecuritySpace. It was developed by the University of Cambridge and is available for free under a public license.
The vulnerability being exploited—tagged by numbering authorities as CVE-2019-10149—is associated with Exim version 4.87, which developers are no longer supporting. Exim released a new version of the software—version 4.93—last June attackers are still able to penetrate unpatched systems.
“Although Exim released a security update for the MTA vulnerability in June 2019, Sandworm cyber actors have been exploiting this vulnerability in unpatched Exim servers,” the Cybersecurity and Infrastructure Security Agency said in a press release amplifying the NSA update.
The NSA update included IP addresses associated with Sandworm which would serve as indicators of compromise and warned administrators that there are other vulnerabilities too in older unsupported versions of the software.
“Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities,” the update says. “Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used. Using a previous version of Exim leaves a system vulnerable to exploitation. System administrators should continually check software versions and update as new versions become available.”
For more wholesale protection against this sort of attack, the NSA also noted the utility of detection tools which would recognize and alert users to unauthorized changes, and the importance of segmenting system architecture so that mail transfer agents such as Exim would only have select access to key ports.
“Public facing MTAs should be isolated from sensitive internal resources in a demilitarized zone (DMZ) enclave,” the NSA said. “If an MTA DMZ was configured in a least access model, for example to deny by default MTA initiated outbound traffic destined for port 80/443 on the Internet while only permitting traffic initiated from an MTA to necessary hosts on port 80/443, the actors’ method of using CVE-2019-10149 would have been mitigated.”