The U.S. National Security Agency’s Central Security Service today issued a warning that Russian military hackers have been exploiting a known vulnerability in email servers since at least August.

The group behind the attack, known as the Sandworm Team, has been targeting unpatched Exim mail transfer agent software found on Unix-based systems and some Linux distributions as well. The Sandworm Team is said to be the part of the Russian General Staff Main Intelligence Directorate’s Main Center for Special Technologies, meaning that the attacks are state-sponsored.

The vulnerability was discovered in June and is a remote command execution vulnerability that is exploitable instantly by a local attacker and by a remote attacker in certain nondefault configurations.

The vulnerability, which affects Exim versions 4.87 to 4.91, was patched upon discovery and does not affect later versions of Exim either. But not all installations of the software have been patched or updated to later versions, opening the door to Sandworm.

The NSA noted that the exploit is being used to add privileged users, disable network security settings and execute additional scripts for further network exploitation; “pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”

“This emphasizes the need for a good vulnerability management plan,” Lamar Bailey, senior director of security research at cybersecurity firm Tripwire Inc., told SiliconANGLE. “High-scoring vulnerabilities on a production email server are high-risk and there should be plans in place to remediate them ASAP.”

Satnam Narang, staff research engineer at cyber exposure firm Tenable Inc., noted that security researchers observed active exploitation attempts in the wild a mere four days after the flaw was originally patched and today there are nearly a half-million servers still vulnerable.

“Whether it is a nation-state or financially driven threat actors, this is another reminder that cybercriminals tend to set their sights on low-hanging fruit,” Narang said. “Zero-day vulnerabilities garner much attention, but practically speaking, it’s the publicly known unpatched vulnerabilities that provide cybercriminals the best bang for their buck. This is because many organizations struggle to keep pace with the sheer volume of newly discovered vulnerabilities, providing cybercriminals a window of opportunity to gain a foothold by exploiting flaws such as this one.”

Photo: Pixabay