Russia-linked APT exploited at least 3 Exim flaws in recent attacks

Several flaws in the Exim mail transfer agent (MTA) have been exploited by Russia-linked hackers, hundreds of thousands of servers are still unpatched.

Russia-linked threat actors have exploited several vulnerabilities in the Exim mail transfer agent (MTA) in their campaigns.

Last week, the U.S. National Security Agency (NSA) warned that Russia-linked APT group tracked Sandworm Team has been exploiting a critical vulnerability (CVE-2019-10149) in the Exim mail transfer agent (MTA).

According to the NSA, hackers belonging to the Unit 74455, under the Russian GRU Main Center for Special Technologies (GTsST), are exploiting the CVE-2019-10149 issue after an update was issued in June 2019.

The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message.” states the advisory.

Russian state-sponsored hackers leverage the vulnerability to download a shell script from a domain under their control and use it to “add privileged users, disable network security settings, update SSH configurations to enable additional remote access, execute an additional script to enable follow-on exploitation.”

NSA recommends patching Exim servers immediately by installing version 4.93 or newer.

Now security firm RiskIQ revealed that threat actors had exploited two other Exim vulnerabilities in the same campaign. The two issues are:

• a remote code execution vulnerability tracked as CVE-2019-15846, it impacts version 4.92.1 and earlier and was patched in September 2019;
• a DoS and code execution flaw tracked as CVE-2019-16928, it impacts versions 4.92 through 4.92.2.

In May, RiskIQ experts identified more than 900,000 vulnerable Exim servers. Most of the servers were running version 4.92, this means that they were patched against the CVE-2019-10149 issue, while they were still impacted by the other two vulnerabilities.

Experts noticed that many servers were updated in May, but there are still hundreds of thousands of vulnerable servers.

“The vulnerabilities leveraged impact Exim Internet Mailer version 4.87 – 4.92. Searching RiskIQ’s internet intelligence database, from May 1, 2020, RiskIQ has observed over 900K vulnerable Exim instances.” reads the analysis published by RiskIQ.

Querying Shodan search engine for vulnerable Exim servers we can verify that there are more than 250,000 installs running version 4.91 and over one million servers running version 4.92.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]