The US National Security Agency (NSA) has issued a cybersecurity advisory warning that the Russian military hacking group responsible for interfering in the 2016 presidential election has been exploiting a critical vulnerability in Exim since last August or earlier.
For those unfamiliar with Exim, the software is a mail transfer agent (MTA) that runs in the background of email servers. The software is currently the most popular MTA and a big reason for this is due to the fact that it is bundled with many popular Linux distros including Debian and Red Hat.
The timing of the NSA’s advisory is a bit strange though as the critical vulnerability in Exim was identified 11 months ago and a patch has already been released to fix the issue.
According to the president of Rendition Infosec and former US government hacker, Jake Williams who spoke with the Associated Press, Exim is so widely used that some companies and government agencies that run the software may have not yet patched the vulnerability. He believes that the NSA may have issued its new advisory to bring attention to the Russian military group known as Sandworm which has exploited the critical vulnerability in Exim in its attacks.
In its advisory, the NSA provided further details on the vulnerability in Exim that Sandworm is actively exploiting, saying:
“The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code of their choosing. The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”
While the NSA did not reveal who the Russian military hackers have targeted, in recent months senior US intelligence officials have warned that Kremlin agents are currently engaged in activities online that could threaten the integrity of the country’s 2020 presidential election.
Organizations and government agencies that use Exim should apply this patch immediately if they have not already done so to avoid falling victim to any potential attacks.