View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Exim Vulnerability: GRU Widely Exploited Critical 2019 Bug, Warns NSA

“A new wave of Sandworm attacks is deeply concerning."

By CBR Staff Writer

The US’s National Security Agency (NSA) says Russian military intelligence is widely abusing a critical 2019 vulnerability within the Exim mail transfer software

The NSA said the GRU’s Main Center for Special Technologies (GTsST) are using the bug to “add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access.”

The hackers are popularly known as “Sandworm”.

Exim is a mail transfer agent used widely in Unix-based systems and  comes pre-installed in many Linux deployments. A critical vulnerability (CVE-2019-10149) exists in all versions of Exim’s MTA from version 4.87 to 4.91; it was first reported by Qualys.

While this has been patched upstream since June 2019, the perennial problem of poor cyber hygiene and irregular patching means many are still exposed. (Check your Linux OS vendor for updated packages and patch if you haven’t. Yes, really, do it…)

A NCSC spokesperson commented that: “We have notified UK providers affected by this activity and have recommended they protect users by patching the vulnerability. The UK and its allies will continue to expose those who conduct hostile and destabilising cyber attacks.”

The detected attacks on networks weakened by this vulnerability have been attributed to Russian military cyber actors known as the ‘Sandworm Team’. The NSA says the attacks have been widespread since August.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Yana Blachman, threat intelligence specialist at Venafi told Computer Business Review that: “A new wave of Sandworm attacks is deeply concerning. Highly sophisticated APT groups can use SSH capabilities to maintain undetected remote access to critical systems and data, allowing attackers to do nearly anything from circumventing security controls, injecting fraudulent data, subverting encryption software and installing further payload.

“There has been a rise in both malware and APT campaigns that leverage SSH, but unfortunately, organisations routinely overlook the importance of protecting this powerful asset.”

Exim Bug CVE-2019-10149

The vulnerability is of the most critical nature as it has received a 9.8 score on the National Vulnerability Database (NVD). The issue at heart is an improper validation of a recipient’s address within the message delivery function, a flaw that allows hackers to execute remote commands.

When the CVE was first brought to their attention last year Exim stated in a security advisory that: “A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87. The severity depends on your configuration.  It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better.”

If you are running a version of Exim 4.92 or higher you should be safe from the exploit, but all prior versions of the software need an immediate fix. The simplest fix for vulnerability is to update the Exim mail server to the current version of Exim which is 4.93.

See Also: British Intelligence Says Bluntly Kremlin is Behind “Reckless” Range of Cyberattacks

Wai Man Yau, VP at open source software security specialist Sonatype noted: “The incident once again brings software hygiene to the fore, and underscores the urgent need for businesses to maintain a software ‘bill of materials’ to manage, track and monitor components in their applications, and to identify, isolate, and remove vulnerabilities like this one. Without one, they’re in a race against time to try and find the flaw before their adversaries do.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.