Russian Sandworm Attackers Hijack Exim Mail Server

Network loopholes made notorious hackers from Russia compromise a vulnerability in Unix Exim Mail Server. Here’s what happened

The Incident

On Thursday, the National Security Agency (NSA) of the US publicly accused the notorious Sandworm team, a unit of GRU military intelligence agency from Russia for exploiting a vulnerability CVE-2019-10149 in Exim, a joint mail transfer agent (MTA) mostly used in Unix-based systems. The agency also reported that Sandworm has been exploiting loopholes in Exim from August 2019 using servers for initial attack. However, the agency did not notify the list of targeted victims nor the number of attacked systems.

Threat Source on exim mail server

Sandworm team identified as unit 74455 of GRU is known to be active from 2009, was responsible for the cyberattacks in Ukraine in 2015 and 2016 and also, the cyberattacks in Georgia. As per experts, the Sandworm team uses publicly available tools for penetration testing and exploitation and used the same to attack Ukrainian entities related to SCADA (Supervisory Control and Data Acquisition), industrial automation systems, media, energy, and government. Sandworm team also known as Voodoo bear and Telebots is the only group that has caused a real-world blackout, with targeted attacks on networks of Ukraine since the war with Russia since 2014.

How Did It Happen on exim mail server?

Experts believe that the attacks started by sending out a specially crafted email with the command to organizations using unpatched Exim Mail Server on MTAs and then initiated the exploitation.
Then, the target would download and run the shell program irrespective of the domain which opened up the door for an attacker to modify network settings and allow remote access to such institutions.
The vulnerability CVE-2019-10149 of unpatched Exim allows attackers to modify user privileges, disable network security settings, run codes for network disruptions and monitor the entire flow of information across the network, which is, in reality, an attacker’s dream access.
Experts say that emails have various information that needs to be processed for proper data sharing. This is in addition to the exposure of non-user interfacing parts of Exim with Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) for industrial automation, which is used for monitoring and reporting purposes within the networks.

The Impact on exim mail server

Whether the purpose of attacking the mail server is for espionage or a sabotage attack like that against Ukraine’s government agencies isn’t clear. Jake Williams, former NSA hacker points out that such an attack is a pivot point for hackers as it allows them to dig deeper into the network in addition to exposing it to the internet. Also, from an attacker’s point of view, such an initial success makes it easier for them to execute further manipulations.

Preventive Measures
Soon after identifying the threats and possible risks in such an attack, various mitigation actions were recommended by NSA such as:
Applying Exim updates immediately: This was done to reduce vulnerabilities, and also, it is recommended that the administrators check for regular updates since older versions of Exim are still prone to attacks.
Detect unauthorized modifications and exploitation attempts:  By routinely checking network logs, additional accounts, and SSH keys can help identify network compromises with the help of file integrity monitor which either alerts or rejects such unauthorized system modification requests. Even though Intrusion Detection Systems (IDS) such as Snort might help to avoid intrusions to a certain degree, administrators are advised to check raw traffic logs to prevent any newer methods of interventions.

Implementation of defence-in-depth strategy: Dividing a network into highly secure zones, isolation of sensitive system into a demilitarized zone (DMZ), blocking of unnecessary outbound traffic, and strict firewall rules. Such robust and in-depth strategic methods can help to cope with exploitation attempts against public-facing software such as MTAs.

Final Words

Attacks like these always question the security level of certain institutions and how well an individual’s data, including bank accounts, credit card details and so on, are secured. In this technological era, everyday expert witnesses newer forms of weakness either by testing or by analyzing already compromised systems. All in all, it is quite evident that the technology is still evolving and industry experts are trying for more secure ways to protect information systems from intrusions.