NSA Sandworm Hacking Advisory Unlikely to Stall Russian Crew

The National Security Agency (NSA) recently issued a cybersecurity warning that a notorious, Russian government-backed hacking group has been attacking vulnerable email servers for nearly a year.

According to the alert, the advanced persistent threat (ATP) group Sandworm has been exploiting a vulnerability (CVE-2019-10149) in Exim mail transfer agent (MTA) software. Millions of systems run Exim software, which transfers electronic mail messages from one computer to another and comes pre-installed on some Linux versions.

The bad actors have exploited CVE-2019-10149 by sending a command in the "MAIL FROM" field of a Simple Mail Transfer Protocol (SMTP) message. The victim machine subsequently downloads and executes a shell script from a Sandworm-controlled domain. The script attempts to do the following on the victim machine:

  • Add privileged users.
  • Disable network security settings.
  • Update SSH configurations to enable additional remote access.
  • Execute an additional script to enable follow-on exploitation.

Other than putting system administrators on notice, the NSA's advisory isn't likely to stall the Russian-backed operatives from attacking key targets, Greg Lesnewich, a threat intelligence researcher at Recorded Future, told DarkReading. "I think that Russian intelligence agencies have a high risk tolerance and feel pretty emboldened to do what they are doing, so I'm not entirely sure what we could potentially do to deter them from conducting these activities, he said."

A year ago, an update for CVE-2019-10149 in Exim was released, patching the remote code execution vulnerability that was introduced in Exim version 4.87. The Sandworm crew has been able to attack the vulnerability in unpatched Exim servers since August, 2019 if not before, the alert said.

Network-based security appliances may be able to detect and/or block CVE-2019-10149 exploit attempts, the NSA said. It advised network administrators to:

  • Immediately update Exim to version 4.93 or newer. Because other vulnerabilities exist and are likely to be exploited, the latest fully patched version should be used.
  • System administrators should continually check software versions and update as new versions become available.
  • Administrators should  review network security devices protecting Exim mail servers to identify prior exploitation and to ensure network-based protection for any unpatched Exim servers.

The Main Directorate of the General Staff of the Armed Forces (GRU) is said to be the Russian government agency backing Sandworm, which is also known as GRU Unit 74455, Iridium, Electrum, BlackEnergy, and Voodoo Bear. Sandworm has hit a number of critical targets, notably a 2015 cyber attack that cut electricity in Ukraine to nearly 250,000 people in December, 2015. It has operated in one form or another for more than a decade. After the Ukraine blackout, the group seemed to have stopped actively using BlackEnergy, superseding it with a next generation variant dubbed GreyEnergy. Compared to BlackEnergy, GreyEnergy is a more modern toolkit with an even greater focus on stealth, according to researchers.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.