Sandworm: A report from the National Security Agency (NSA) outlined how they believe the Russian threat group known as Sandworm has been hijacking mail servers by targeting a known vulnerability in Exim, a mail transfer agent. Since at least August of 2019, Sandworm has been using Exim as the initial infection vector, then likely pivoting to other parts of the victim’s network. An exploit for the vulnerability in Exim was released in June of 2019 and allows the attacker to send a malicious email to the server and immediately gain access to run code remotely. Sandworm has used their intrusions into mail servers to add their own privileged users to the servers, disable network security settings, update secure shell configurations to give its members more remote access, and run a script on the servers to enable further steps to exploit the target network, according to the NSA. Sandworm is a well-known threat group responsible for many attacks throughout the past years, which the US government has publicly identified as Unit 74455 of the Russian government’s military intelligence agency, GRU. Compromising mail servers is a well-known attack method, but the NSA warns because of how destructive Sandworm has been in the past, this attack should be noted.
Analyst Notes
Mail servers can provide a pivot point for attackers to move across a victim’s network. This attack is a perfect example of how important it is to update systems with patches after new vulnerabilities are found. The vulnerability in Exim was found almost a year ago and threat actors are still utilizing it to carry out attacks. The motivation behind the attacks is not yet known and the victims have not been released. Sandworm has targeted many different entities in the past including the 2018 Olympics and the cyber-attacks against Ukraine which caused blackouts throughout the county.
Read more here: https://www.wired.com/story/nsa-sandworm-exim-mail-server-warning/
