Sandworm: A report from the National Security Agency (NSA) outlined how they believe the Russian threat group known as Sandworm has been hijacking mail servers by targeting a known vulnerability in Exim, a mail transfer agent. Since at least August of 2019, Sandworm has been using Exim as the initial infection vector, then likely pivoting to other parts of the victim’s network. An exploit for the vulnerability in Exim was released in June of 2019 and allows the attacker to send a malicious email to the server and immediately gain access to run code remotely. Sandworm has used their intrusions into mail servers to add their own privileged users to the servers, disable network security settings, update secure shell configurations to give its members more remote access, and run a script on the servers to enable further steps to exploit the target network, according to the NSA. Sandworm is a well-known threat group responsible for many attacks throughout the past years, which the US government has publicly identified as Unit 74455 of the Russian government’s military intelligence agency, GRU. Compromising mail servers is a well-known attack method, but the NSA warns because of how destructive Sandworm has been in the past, this attack should be noted.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in