NSA has alerted the Sandworm team that a vulnerability is being exploited that impacts
Exim Mail Transfer Agent (MTA) software.

The NSA reveals that the Sandworm Team has used the Exim MTA security vulnerability
since August 2019 in a cyber safety advisory released on May 28.
The first vulnerability was found in Exim version 4.87 (CVE-2019-10149). It allows a
remote attacker to send a specially designed e-mail that enables code execution. Then
the code could be used in the installation of applications, data editing, and new

On 5 June 2019, Exim issued a fix for CVE-2019-10149. However, that did not dissuade
the Russian actors who work at the GRU Main Special Technology Center (GTsST).
The group started by sending the SMTP (Simple Mail Transfer Protocol) message
command in the field “MAIL FROM.” In this stage, they could download and run a shell
script from a domain. At that point, the script was used to attach privileged users,
deactivate network safety settings, and perform other malicious functions.
The NSA found out in its warning that organizations, by updating their Exim
applications to Version 4.93 or higher, are able to defend themselves against these


This recommendation was supported by Lamar Bailey, Tripwire director of security
research and development. He further explained that such prevention steps would be
introduced as part of a wider client health strategy:

This underlines the need for a strong management strategy for vulnerability. Nearly a
year has passed after CVE-2019-10149 and CVSS scores over 9 make it a serious
weakness. High sensitivities on a production email server are extremely dangerous and
arrangements to repair ASAP should be in place.

However, not every program to handle risk is the same. Organizations will make sure that their strategies use best practice to optimize the four phases of a risk management
the approach in order to be as successful as possible.

Since at least August 2019, a new National Security Agency (NSA) advisory on cyber
security has been warning Russian cyber actors in the GRU Key Center of Special
Technologies (GTsST), field post number 74455, exploited the weakness in software
from Exim Mail Transfer Agent (MTA). The cyber actors responsible for this malicious
cyber programme, the Sandworm Project, are widely identified.

Network-based security tools may also detect and/or prevent exploiting attempts of
CVE-2019-10149. In Snort ® 3 for instance, rules 1-50356 warns that registered Snort
Intrusion Detection System (IDS) users will default exploit attempts[5]. Administrators
are advised to monitor Exim mail servers’ network security devices both for previous
usage detection and to ensure network-based safety of unidentified Exim servers. Raw
traffic logs can also be requested for emails that involve a “${run” recipient, which will
presumably, reveal a CVE-2019-10149 exploit.

Related Post

Leave a Comment