Threat Watch

Exim Vulnerabilities Exploited in Russian-Linked Attacks

In an alert issued by the NSA, companies and organizations were urged to update their Exim Mail Transfer Agent (MTA) servers to version 4.93 or newer. Earlier versions are reportedly impacted by a series of vulnerabilities that are currently exploited by a hacker group known as Sandworm with ties to the Russian military intelligence agency. While the NSA mentioned CVE-2019-10149, which was an Exim vulnerability that allowed remote code execution as root, RiskIQ also reports that CVE-2019-15846 (another RCE vulnerability in Exim) and CVE-2019-16928, which was a DOS and code execution vulnerability. RiskIQ reported that there are over 900,000 vulnerable Exim servers, with the majority running Exim 4.92.

ANALYST NOTES

Binary Defense recommends that all Exim mail servers are upgraded to 4.93 or newer. All critical servers should be kept up to date with security patches. Workstations and servers should also be continuously monitored for signs of attacker behaviors, even if patches are applied, because many attacks take advantage of stolen or guessed passwords to remotely access servers using existing accounts. Recognizing intrusions in the early stages is the most effective way to limit the damage that can be caused when attackers have unlimited access to multiple systems for extended periods of time.

For more information, please see:
https://www.securityweek.com/several-exim-vulnerabilities-exploited-russia-linked-attacks