‘The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattacks against email servers, attacks conducted by one of Russia’s most advanced cyber-espionage units.
The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).
Also known as “Sandworm,” this group has been hacking Exim servers since August 2019 by exploiting a critical vulnerability tracked as CVE-2019-10149.
When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain. This shell script would:
⚠️Add privileged users
⚠️Disable network security settings
⚠️Update SSH configurations to enable additional remote access
⚠️Execute an additional script to enable follow-on exploitation
The NSA is now warning private and government organizations to update their Exim servers to version 4.93 and look for signs of compromise.
The Sandworm group has been active since the mid-2000s and is believed to be the hacker group who developed the BlackEnergy malware that caused a blackout in Ukraine in December 2015 and December 2016, and the group who developed the infamous NotPetya ransomware that caused damages of billions of US dollars to companies all over the world.
It is currently considered one of the two most advanced Russian state-sponsored hacking groups, together with Turla.