UPDATED 22:54 EDT / MAY 28 2020

sandworm SECURITY

NSA warns Russian hacking group is targeting unpatched email servers

The U.S. National Security Agency’s Central Security Service today issued a warning that Russian military hackers have been exploiting a known vulnerability in email servers since at least August.

The group behind the attack, known as the Sandworm Team, has been targeting unpatched Exim mail transfer agent software found on Unix-based systems and some Linux distributions as well. The Sandworm Team is said to be the part of the Russian General Staff Main Intelligence Directorate’s Main Center for Special Technologies, meaning that the attacks are state-sponsored.

The vulnerability was discovered in June and is a remote command execution vulnerability that is exploitable instantly by a local attacker and by a remote attacker in certain nondefault configurations.

The vulnerability, which affects Exim versions 4.87 to 4.91, was patched upon discovery and does not affect later versions of Exim either. But not all installations of the software have been patched or updated to later versions, opening the door to Sandworm.

The NSA noted that the exploit is being used to add privileged users, disable network security settings and execute additional scripts for further network exploitation; “pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”

“This emphasizes the need for a good vulnerability management plan,” Lamar Bailey, senior director of security research at cybersecurity firm Tripwire Inc., told SiliconANGLE. “High-scoring vulnerabilities on a production email server are high-risk and there should be plans in place to remediate them ASAP.”

Satnam Narang, staff research engineer at cyber exposure firm Tenable Inc., noted that security researchers observed active exploitation attempts in the wild a mere four days after the flaw was originally patched and today there are nearly a half-million servers still vulnerable.

“Whether it is a nation-state or financially driven threat actors, this is another reminder that cybercriminals tend to set their sights on low-hanging fruit,” Narang said. “Zero-day vulnerabilities garner much attention, but practically speaking, it’s the publicly known unpatched vulnerabilities that provide cybercriminals the best bang for their buck. This is because many organizations struggle to keep pace with the sheer volume of newly discovered vulnerabilities, providing cybercriminals a window of opportunity to gain a foothold by exploiting flaws such as this one.”

Photo: Pixabay

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.