NSA attentive to new Sandworm attacks on mail servers

NSA attentive to new Sandworm attacks on mail servers Cybersecurity

The NSA released a security alert on Friday to warn of a new wave of cyber attacks on mail servers, attacks by one of Russia’s most advanced cyber spy units. NSA reports that members of unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, attacked email servers using the Exim Mail Transfer Agent (MTA) .

Also known as “Sandworm”, this group has been hacking Exim servers since August 2019 by exploiting a critical vulnerability identified as CVE-2019-10149, the NSA said in a security alert shared today with ZDNet. “When Sandworm was running CVE-2019-10149, the victim machine would download and then run a shell script from a domain controlled by Sandworm,” said the NSA.

This shell script would allow in particular:

  • to add privileged users;
  • disable network security settings;
  • update SSH configurations to allow additional remote access;
  • to execute an additional script to allow further exploitation.

The NSA is now warning private and government organizations to update their Exim servers to version 4.93 and to look for signs of compromise. The trade-off indicators are available in the NSA PDF, the link for which is given above.

Nine months to carry out attacks

The Sandworm group has been active since the mid-2000s. It is certainly the group of hackers behind the BlackEnergy malware, which caused a massive blackout in Ukraine in December 2015 and December 2016. It s ” is also the group behind the infamous NotPetya ransomware that has caused billions of US dollars in damage to businesses around the world.

Along with the Turla group, Sandworm is currently considered to be one of the two most advanced hacking groups sponsored by the Russian state. The vulnerability CVE-2019-10149 was revealed in June 2019, and has been codenamed “Return of the WIZard”.

In the week following its disclosure, groups of hackers began to abuse it. Two weeks later, Microsoft also issued an alert at the time, warning Azure customers that a threat actor had developed a self-spreading Exim worm that exploited this vulnerability to take over servers running on the Internet. infrastructure of Azure.

SMTP, a target of choice

Almost half of the e-mail servers on the Internet work with Exim. According to May 1, 2020 statistics, only half of the Exim servers were updated to version 4.93, or later, leaving a large number of Exim instances exposed to attack.

“Many organizations are fixing on Cloud or mobile. They forget a little quickly that really old services like SMTP represent a large part of their personal and professional life, and that, by definition, these services are exposed to the Internet” , explains Richard Bejtlich, senior security strategist with the cyber security company Corelight, interviewed by ZDNet.

“They are perfect targets for adversaries facing the Internet, they process the most sensitive data and people treat it like devices, which means they are often forgotten as long as they continue to work, and are not being watched. “

Name and Shame

But today’s NSA security advisory also has two other goals than getting Exim administrators to fix their servers. It is also intended to burn a lot of Sandworm’s offensive infrastructure. Following today’s alert, Sandworm operators may lose access to many servers they have hijacked in the past nine months, as server administrators are deploying patches and removing backdoors from Sandworm.

Second, the opinion again draws the world’s attention to Russia’s cyber-espionage operations. Many of these Russian operations have often exceeded the limits of what is acceptable in modern cyber espionage, often causing damage in the real world (for example, NotPetya, BadRabbit, BlackEnergy, DDoS attacks in Georgia, hacking DNC, etc.)

The United States and the other members of the organization Five Eyes, which brings together the intelligence services of the Anglo-Saxon countries allies of Washington, have made denouncing and denouncing Russian cyber attacks a political question. At least since the end of 2018. They have continued since then by extending this policy to Chinese, Iranian and North Korean operations as well.

Source: ZDNet.com

Rate article
Add comment