Russian cyber actors from the GRU Main Center for Special Technologies (GTsST), field post number 74455, have been exploiting a vulnerability in Exim Mail Transfer Agent (MTA) software since at least August 2019, warns a new National Security Agency (NSA) cybersecurity advisory. The cyber actors responsible for this malicious cyber program are known publicly as Sandworm team.
According to the NSA, Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well. The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code of their choosing. The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.

When the patch was released last year, Exim urged its users to update to the latest version. NSA adds its encouragement to immediately patch to mitigate against this still current threat.

According to the NSA, the following are some mitigation actions that can help with these vulnerabilities. 

1. Apply Exim Updates Immediately

Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used Using a previous version of Exim leaves a system vulnerable to exploitation. System administrators should continually check software versions and update as new versions become available [4].

Administrators can update Exim Mail Transfer Agent software through their Linux distribution’s package manager or by downloading the latest version from
2. Detect Exploit Attempts and Unauthorized Changes
Additionally, network-based security appliances may be able to detect and/or block CVE-2019-10149 exploit attempts. For example, Snort®3 rule 1-50356 alerts on exploit attempts by default for registered users of a Snort Intrusion Detection System (IDS) [5]. Administrators are encouraged to review network security devices protecting Exim mail servers both for identifying prior exploitation and for ensuring network-based protection for any unpatched Exim servers. Raw traffic logs can also be queried for emails with a recipient containing “${run”, which would likely indicate a CVE-2019-10149 exploit
attempt. Other attack methods exist for non-default configurations and may not be detected using these methods.
Routinely verifying no unauthorized system modifications, such as additional accounts and SSH keys, have occurred can help detect a compromise. To detect these modifications, administrators can use file integrity monitoring software that alerts an administrator or blocks unauthorized changes on the system.
Apply Defense-in-Depth Security Strategy
Security principles such as least access models and defense-in-depth should be applied when installing public facing software such as MTAs and can help prevent exploitation attempts from being successful. Network segmentation should be used to separate networks into zones based on roles and requirements. Public facing MTAs should be isolated from sensitive internal resources in a demilitarized zone (DMZ) enclave. When using a DMZ for public Internet facing systems, firewall rules are important to block unexpected traffic from reaching trusted internal resources. In addition, MTAs should
only be allowed to send outbound traffic to necessary ports (e.g. 25, 465, 587), and unnecessary destination ports should be blocked. Least access model firewall rules around a DMZ can inhibit attackers from gaining unauthorized access, as unexpected port traffic should be blocked by default.
If an MTA DMZ was configured in a least access model, for example to deny by default MTA initiated outbound traffic destined for port 80/443 on the Internet while only permitting traffic initiated from an MTA to necessary hosts on port 80/443, the actors’ method of using CVE-2019-10149 would have been mitigated.
Indicators of Compromise (IOC)
The NSA notes that since at least August 2019, the following IP addresses and domains were associated with these attacks from the Sandworm actor:

For more information, visit