A new wave of cyber attacks against email servers: Sandworm Attacks

new wave of cyber attacks against email servers

The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattack against email servers, attacks conducted by one of Russia’s most advanced cyber-espionage units. The members of UNIT 74455 of the GRU Main Center for Special Technologies (GTsSt) have been attacking email servers running the Exim mail transfer agent which is also known as “Sandworm”. The members are from the division of the Russian military intelligence service. They have been exploiting a critical vulnerability since August 2019 and tracked as CVE-2019-10149.

LIFARS Cyber Incident Response – for mission critical systems, the LIFARS Incident Response Team is deployed to the local enterprise environment.

The NSA also added that when Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain. The shell script would:

  1. Add privileged users
  2. Disable network security settings
  3. Update SSH configuration to enable additional remote access
  4. Execute an additional script to enable follow-on exploitation

All private and government organizations are encouraged to update their Exim servers to version 4.93 and look if they have any signs of compromise. According to stats from May 1, 2020, only a half of all Exim servers have been updated to version 4.93, or later. The older version leaves a large number of Exim instances exposed to attacks.

The Indicator of Compromise is available in this link.

The background of the Sandworm group, since the mid-2000s, the group has been seen active. The hacker group is believed to have developed the BlackEnergy malware that caused a blackout in Ukraine in December 2015 and December 2016. The Sandworm developed the infamous NotPetya ransomware which caused huge damages of billions of US dollars to companies all over the world. The Sandworm group and Turla are considered the most advanced Russian state-sponsored hacking groups.

However, Sandworm group will be not able to access any servers as server administrators deploy patches and Sandworm backdoors.