Russian Hackers Attack Exim Mail Transfer Agent

As the November elections in the United States draw closer so do the fears of a repeated 2016 scenario when Russian hackers interfered in the presidential elections.

It seems those worries have only gotten more fuel following the U.S. National Security Agency’s (NSA) advisory issued on 28th May.

According to the NSA’s advisory, a group of Russian military hackers, better known as “Sandworm” have been exploiting a major mail transfer agent, Exim, at least since August last year, if not earlier.

The infamous agents are the same ones that were involved in the U.S. 2016 presidential elections when they exposed several Democratic National Committee’s emails as well as broke into voter registration databases.

The same hacking group was also behind the 2017 NotPetya cyber attack. 

Exim Mail Transfer Agent Vulnerability Known for a While

The Exim exploit, CVE-2019-10149, in essence, allows a remote hacker to execute their own commands and to:

• Disable network security settings;
• Execute additional scripts and enable follow-on exploitation;
• Add privileged users;
• Updated SSH configs and enable additional remote access.

More specifically, the actors were sending a command in the “Mail From” field of the SMTP message to exploit victims using Exim on their public-facing mail transfer agent.

The vulnerability in the Exim Mail Transfer Agent has been known for a while and was identified 11 months before the NSA’s advisory, with even a patch being issued. This begs the question:

Why issue the advisory now?

 An explanation was given by an NSA official, who wished to remain anonymous, who said that they are publicizing the Exim vulnerability because, despite the prior warnings, “it has continued to be exploited and needs to be patched”.

Who is the Target?

Exim is a very widely used MTA, even by some government agencies or large companies, so it’s not 100% clear who the Russian hackers have targeted. However, according to US intelligence officials, Kremlin agents have been engaging in activities to threaten the November presidential elections integrity, just like they did for the 2016 elections.

The mail transfer agent is used on 326,241 servers of the 535,368 (from a total of 960,243) that responded to a Security Space Mail (MX) Server Survey on 1st September.

If you have not yet done so, be sure to update and patch Exim Mail Transfer Agent to version 4.93 or newer as soon as possible.