NSA Releases Advisory on Sandworm Actors Exploiting an Exim Vulnerability

The National Security Agency (NSA) has released a cybersecurity advisory on Russian advanced persistent threat (APT) group Sandworm exploiting a vulnerability—CVE-2019-10149—in Exim Mail Transfer Agent (MTA) software. An unauthenticated remote attacker can use this vulnerability to send a specially crafted email to execute commands with root privileges, allowing the attacker to install programs, modify data, and create new accounts. Although Exim released a security update for the MTA vulnerability in June 2019, Sandworm cyber actors have been exploiting this vulnerability in unpatched Exim servers since at least August 2019 according NSA’s advisory, which provides indicators of compromise and mitigations to detect and block exploit attempts. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued its own advisory encouraging administrators and users to upgrade to the latest version of Exim and review NSA advisory and Exim’s security update for more information. Read the advisory at NSA.