Cybersecurity Threat Advisory 0034-20: Exim Mail Transfer Agent Actively Exploited by Russian GRU Cyber Actors
According the NSA, Russian military cyber actors have been exploiting a vulnerability in Exim mail transfer agent (MTA) software in Unix-based systems. The vulnerability could allow hackers to execute commands with root privileges. SKOUT recommends updating Exim to version 4.93 or newer.
Technical detail and additional information
What is the threat?
A vulnerability exists in the Exim Mail Transfer Agent (MTA) software (versions 4.87 to 4.92) for Unix-based systems that can allow an unauthenticated remote attacker to execute commands with root privileges. By specially crafting an email with the desired command in the “MAIL FROM” field of a Simple Mail Transfer Protocol (SMTP) message, the attacker could execute the given code on the recipient’s device. The attacker can provide a wide array of different commands that could allow them to download programs, modify data, create/modify/delete user accounts, and more.
Why is this noteworthy?
By exploiting this vulnerability an attacker is able to run commands with root privileges without authenticating. Simply put, if your version of Exim is vulnerable to this attack, any actor capable of writing a Unix command can potentially exploit this. In addition to this, it is very noteworthy that the actors the NSA has attributed these exploits to are from the GRU’s Main Center for Special Technology, and by extension the Russian military. This group of actors are publicly known as “Sandworm team” and have been exploiting this vulnerability since at least August of 2019. It is unclear at this time if there is an overarching goal for this group of threat actors, however given the potential level of access that this vulnerability imparts to the exploiter there are many possibilities. Lastly, Exim is a commonly used MTA software for many Unix-based systems and comes pre-installed on several Linux distributions, such as Debian. This can lead to a large number of systems being vulnerable without anyone being aware, as they may not know their system uses/has Exim.
What is the exposure or risk?
By leveraging this vulnerability an attacker can execute any code that they wish, both remotely and pre-authentication. When Sandworm team has exploited this vulnerability previously, they would run code which would force the target machine to download and execute a shell script from a domain that they controlled. From there, they would create new privileged users, disable network security settings, update SSH configurations to enable additional remote access, and run additional scripts to enable the ability to follow-up on the exploitation. This suite of actions would ensure that they had almost immutable persistence in the machine and could then perform whatever malicious actions they wished. Given that this is alleged to be a state-sponsored actor, their goals likely align with that of an Advanced Persistent Threat (ATP) group. The main goals of an ATP are typically espionage, disruption, and information theft related. In this case that could mean the attacks are highly targeted and are used for gathering sensitive information either about personnel or organizations that could be leveraged for economic damage. However, it is unknown at this time what the group’s goals were.
What are the recommendations?
There is already a patch available for Exim, and it is highly recommended to download it to mitigate both this and other vulnerabilities. The NSA has also released a report detailing this activity, along with their own recommendations. Included among them are known Indicators of Compromise (IOCs), a Snort rule (for those that use Snort IDS) and recommendations of how to apply Defense-in-Depth strategies for this situation including network segmentation, firewall best practices, and more. All of this information can be found at the link below for the complete list of recommendations:
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.