A notorious and highly capable attack group that is part of the Russian intelligence community has been exploiting a known vulnerability in the Exim mail transfer agent for several months, compromising unpatched servers in the United States as part of its intrusion campaigns, the National Security Agency said in a rare advisory.
The warning from the NSA attributes the attacks to the group known as Sandworm, a team that is part of Russia’s General Staff Main Intelligence Directorate (GRU) military intelligence organization, and is allegedly responsible for some of the more damaging attacks in recent years. Sandworm has been linked to the attack that caused a major power outage in Ukraine in 2015, the NotPetya attack that paralyzed hospitals, shipping companies, and dozens of organizations around the world in 2017, and several smaller intrusions, as well. The group tends to focus much of its attention on entities in Ukraine, but on Thursday the NSA warned enterprises and other potential targets that Sandworm is using the Exim vulnerability, which was disclosed an patched in June 2019, to gain a foothold on target networks.
“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA,” the NSA advisory says.
“When the patch was released last year, Exim urged its users to update to the latest version. NSA adds its encouragement to immediately patch to mitigate against this still current threat.”
The Exim vulnerability (CVE-2019-10149) is an unusual one, and the main attack vector is a local one. But there is a remote exploitation method, too, and that’s what the Sandworm team appears to be using. Exim is a mail transfer agent that is used widely on Unix and Linux systems and it’s included in several Linux distributions.
“To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist,” the advisory from Qualys, which discovered the bug, said.
"They know for a fact that the Russians are using this exploit to get into networks with some success."
Researchers at GreyNoise Intelligence, which gathers data on scan activity, have seen exploits against the Exim vulnerability since it was first disclosed and the activity has been relatively steady ever since, save for a spike in September. Andrew Morris, the founder of GreyNoise, said the exploit activity shows the characteristics of selective targeting, rather than mass exploitation.
“This is an exploit that we know isn’t being aggressively wormed in the way that some others are. It’s not being thrown into botnets. It’s quiet,” Morris said.
“It’s being used more manually and selectively by the bad guys. There’s more target checking and verification. This does not appear to have been weaponized in that way.”
GreyNoise's data shows 165 servers that have tried to exploit the Exim vulnerability against their systems, and many of those servers are in the U.S. or China. Only 11 of the servers are located in Russia.
A public warning from the NSA about a specific vulnerability is unusual and carries with it a weight that a similar advisory from a threat intelligence company or even another government agency does not. The agency does not publish this kind of advisory very often, and when it does, there is a specific reason behind it.
“The NSA does this for a reason. They know for a fact that the Russians are using this exploit to get into networks with some success,” Morris said. “They have a culture of silence and they do not put things like this out there without a reason.”