NSA warns of new Sandworm attacks on email servers

NSA says Russia's military hackers have been attacking Exim email servers to plant backdoors since August 2019.

The NotPetya gang is back: NSA warns of new Sandworm attacks

The US National Security Agency (NSA) has published today a security alert warning of a new wave of cyberattacks against email servers, attacks conducted by one of Russia's most advanced cyber-espionage units.

The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).

Also known as "Sandworm," this group has been hacking Exim servers since August 2019 by exploiting a critical vulnerability tracked as CVE-2019-10149, the NSA said in a security alert [PDF] shared today with ZDNet.

"When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain," the NSA says.

This shell script would:

  • Add privileged users
  • Disable network security settings
  • Update SSH configurations to enable additional remote access
  • Execute an additional script to enable follow-on exploitation

The NSA is now warning private and government organizations to update their Exim servers to version 4.93 and look for signs of compromise. Indicators of compromise are available in the NSA's PDF, linked above.

Sandworm had 9 months to carry out attacks

The Sandworm group has been active since the mid-2000s and is believed to be the hacker group who developed the BlackEnergy malware that caused a blackout in Ukraine in December 2015 and December 2016, and the group who developed the infamous NotPetya ransomware that caused damages of billions of US dollars to companies all over the world. It is currently considered one of the two most advanced Russian state-sponsored hacking groups, together with Turla.

The CVE-2019-10149 vulnerability was disclosed in June 2019, and was codenamed "Return of the WIZard."

Within a week after it was disclosed, hacking groups began abusing it. After two weeks, Microsoft had also issued an alert at the time, warning Azure customers that a threat actor had developed an Exim self-spreading worm that exploited this vulnerability to take over servers running on Azure infrastructure.

Nearly half of the internet's email servers run Exim. According to stats from May 1, 2020, only a half of all Exim servers have been updated to version 4.93, or later, leaving a large number of Exim instances exposed to attacks.

"Many orgs fixate on the new and shiny, like cloud and mobile. However, they forget that really old services like SMTP run a big chunk of their personal and business lives, and by definition those services are Internet-exposed," Richard Bejtlich, Principal Security Strategist at cyber-security firm Corelight, told ZDNet.

"They make perfect targets for adversaries as they face the Internet, they handle the most sensitive data, and people treat them like appliances, meaning they are often forgotten so long as they continue working, and are not monitored."

Naming-and-shaming continues

But today's NSA security advisory also has two other purposes besides just urging Exim administrators to patch their servers.

It's also meant to burn a lot of Sandworm offensive infrastructure. Following today's alert, Sandworm operators are most likely to lose access to many of the servers they've been hacking for the past nine months, as server administrators deploy patches and remove Sandworm backdoors.

Second, the advisory draws the world's attention to Russia's cyber-espionage operations, again. Many of these Russian opreations have often crossed a line of what's acceptible in modern-day cyber-intelligence gathering by often causing havoc in the real world (i.e. NotPetya, BadRabbit, BlackEnergy, Georgia DDoS attacks, DNC hack, etc.).

The US and fellow Five Eyes countries have made naming and shaming Russian cyber-attacks a matter of policy, since at least late 2018, and they have continued ever since, expanding the policy to Chinese, Iranian, and North Korean operations as well.