Tech News

Russian Hacking Operation Underway

A Russian hacking collective, known as the "Sandworm Team" (and part of GRU – The Main Directorate of the General Staff of the Armed Forces of the Russian Federation) have been using a special intrusion technique to gain "dream access" by adding privileged users, disable network security settings, update SSH configurations to enable remote access, and execute code that exploits various network vulnerabilities.

This is the same organization that targeted the 2016 United States presidential election to steal emails from the Democratic National Convention and break into voter registration databases.

The target is the Exim mail transfer agent used on countless Linux and UNIX-based operating systems. The actors exploited Exim via the "MAIL FROM" field of the SMTP message. Once exploited, the actor could execute the code of their choosing. The particular vulnerability being exploited was actually patched on June 5, 2019 (CVE-2019-10149), but not all Linux administrators are as up-to-date on patches as they should be. The Exim developers urged all users to upgrade the software, and the NSA is now adding its own encouragement for administrators to immediately patch Exim to mitigate against this ongoing threat.

If your Linux mail server is running a version of Exim older than 4.93, you need to upgrade immediately.

Original source: https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA-Sandworm-Actors-Exploiting-Vulnerability-in-Exim-Transfer-Agent-20200528.pdf