NSA warns that Russian hacking group Sandworm has been infiltrating MTA Exim for months

This week, the U.S. National Security Agency (NSA) warned the public that Russian military cyber-actors had been using at least one version of the email software for months,media reported. It is reported that the affected mail system is used for Unix-based system MTA software – Exim mail. The software is installed in many Linux distributions by default.

NSA warns that Russian hacking group Sandworm has been infiltrating MTA Exim for months

Although the original patch for the vulnerability was released as early as last year, many computers did not install the patch when they ran Exim.

It is understood that the vulnerability code is CVE-2019-10149, which allows remote attackers to execute the commands and code of their choice when they know about the vulnerability.

According to documents released by the NSA, the Russian group that used the vulnerability to launch the attack was Sandworm. They believe that these Russian cyber actors come from the GRU Special Technology Centre (GTsST) 74455 team. These Russian actors are accused of exploiting the network by exploiting the vulnerability to increase privileged users, disable network security settings, and execute additional scripts to further exploit the network, arguably enabling almost any attacker’s dream access, and that they are exploiting the unpatched exim MTA version.

It is understood that the patch for the vulnerability was released a few months ago and there was a warning from Exim developers at the time. Now, the NSA is sure they have warned the public.

With the release of this information, the NSA said it would publish more relevant cybersecurity product launches and technical guidance @NSAcyber through its Twitter account in the future.