Thursday, May 28, 2020

NSA Advises Citizens Being Targeted by Russian Military Hackers


It seems that the Russian hacker team known as Sandworm has been exploiting a vulnerability as long as the network is using an unpatched version of Exim MTA.  

NSA does not make announcements of vulnerabilities on a regular basis.  As a matter of fact, for years people humorously referred to NSA as “No Such Agency” due to its in incredible veil of secrecy.  However, when an exploit is discovered that creates mass potential for exploitation by persistent threat vectors, NSA will sometimes make the vulnerability known to help prevent its exploitation.

Today, the NSA did just that.  The idea, of course, is to get companies using unpatched software to run the updates and install the patches.  Thus it closes the holes that were being exploited.

Here is what the National Security Agency had to say:

Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August. Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well. The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code of their choosing. The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.

When the patch was released last year, Exim urged its users to update to the latest version. NSA adds its encouragement to immediately patch to mitigate against this still current threat.

For more information on this vulnerability and associated mitigations, review our Cybersecurity Advisory "Sandworm Actors Exploiting Vulverability in Exim Mail Transfer Agent. To receive notice of future cybersecurity product releases and technical guidance, follow our new Twitter handle @NSAcyber.

No comments:

Post a Comment