Russia-linked threat actors have exploited several vulnerabilities in the Exim mail transfer agent (MTA) in their campaigns.
Last week, the U.S. National Security Agency (NSA) warned that Russia-linked APT group tracked Sandworm Team has been exploiting a critical vulnerability (CVE-2019-10149) in the Exim mail transfer agent (MTA).
According to the NSA, hackers belonging to the Unit 74455, under the Russian GRU Main Center for Special Technologies (GTsST), are exploiting the CVE-2019-10149 issue after an update was issued in June 2019.
The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message.” states the advisory.
Russian state-sponsored hackers leverage the vulnerability to download a shell script from a domain under their control and use it to “add privileged users, disable network security settings, update SSH configurations to enable additional remote access, execute an additional script to enable follow-on exploitation.”
NSA recommends patching Exim servers immediately by installing version 4.93 or newer.
Now security firm RiskIQ revealed that threat actors had exploited two other Exim vulnerabilities in the same campaign. The two issues are:
In May, RiskIQ experts identified more than 900,000 vulnerable Exim servers. Most of the servers were running version 4.92, this means that they were patched against the CVE-2019-10149 issue, while they were still impacted by the other two vulnerabilities.
Experts noticed that many servers were updated in May, but there are still hundreds of thousands of vulnerable servers.
“The vulnerabilities leveraged impact Exim Internet Mailer version 4.87 – 4.92. Searching RiskIQ’s internet intelligence database, from May 1, 2020, RiskIQ has observed over 900K vulnerable Exim instances.” reads the analysis published by RiskIQ.
Querying Shodan search engine for vulnerable Exim servers we can verify that there are more than 250,000 installs running version 4.91 and over one million servers running version 4.92.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, cybersecurity)
[adrotate banner=”5″]
[adrotate banner=”13″]
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all…
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
This website uses cookies.