The U.S. National Security Agency on Thursday issued an advisory alleging that hackers from Russia's Main Intelligence Directorate (GRU) have been actively exploiting a remote code execution vulnerability in Exim Mail Transfer Agent (MTA) software, found in Unix-based systems.
Researchers and analysts reacting to the agency's warning say the announcement is an important reminder that organizations must vigilantly practice cyber hygiene by regularly patching their open-source software and securing their Secure Shell (SSH) capabilities.
Officially designated CVE-2019-10149 and patched on June 5, 2019, the critical flaw can be exploited to execute commands with root privileges, thereby enabling attackers to install programs, modify data and create new accounts, the NSA warns. Users of the popular email server software, which comes pre-installed on certain Linux distributions such as Debian and is designed to transfer emails between computers via the Simple Mail Transfer Protocol (SMTP), are urged to install Exim version 4.93 or later.
"The actors exploited victims using Exim software on their public facing MTAs by sending a command in the 'MAIL FROM' field of an SMTP... message," the NSA alert states.
"In terms of strategy, leveraging a publicly disclosed vulnerability provides significant value in that they do not have to burn a zero-day or disclose their unique tooling," said Greg Foss, senior threat researcher from VMware Carbon Black's Threat Analysis Unit (TAU). "The attack itself is rather simple code execution that follows a continuing trend of attacks against internet-facing Linux systems. These attacks consistently follow a pattern of exploitation wherein the malicious actors upload a custom post-exploitation shell script that adds privileged users and then disables security configurations, backdoors the host, and often drops malware such as cryptocurrency miners and info stealers."
"What we don’t know is if the NSA’s release of this information signals that this was part of a more targeted attack," Foss continued. "Given the ease of exploitation and the fact that this vulnerability can be triggered by a simple email message, I am inclined to speculate that they cast a wide net and are aiming to add nodes to their overall capability to leverage as proxies in future operations."
The Russian hackers, whom the NSA and other cyber experts refer to as the Sandworm Team (aka Voodoo Bear), have been exploiting the bug since at least August 2019 to execute shell scripts from domains under their control, the NSA advisory asserts. This script is capable of adding privileged users, disabling network security settings, enabling expanded remote access by updating SSH configurations, and executing additional scripts for further exploitation.
"Highly sophisticated APT groups can use SSH capabilities to maintain undetected remote access to critical systems and data, allowing attackers to do nearly anything from circumventing security controls, injecting fraudulent data, subverting encryption software and installing further payload," said Yana Blachman, threat intelligence specialist at Venafi. "There has been a rise in both malware and APT campaigns that leverage SSH, but unfortunately, organizations routinely overlook the importance of protecting this powerful asset. Hopefully, this warning from the NSA will force organizations to review how they're protecting SSH capabilities before cyber attackers make their move."
Last February, the U.S. State Department condemned a disruptive cyberattack perpetrated against the country of Georgia, for which it also blamed Sandworm -- publicly linking the group to the GRU's Main Center for Special Technologies, or Unit 74455.
The NSA advises organizations to leverage network-based security appliances to detect and block CVE-2019-10149 exploit attempts, use integrity monitoring software to ensure there have been no unauthorized system modifications, and practice network segmentation and defense in-depth strategies.
"Public facing MTAs should be isolated from sensitive internal resources in a demilitarized zone (DMZ) enclave," the advisory recommends. "When using a DMZ for public Internet facing systems, firewall rules are important to block unexpected traffic from reaching trusted internal resources. In addition, MTAs should only be allowed to send outbound traffic to necessary ports (e.g. 25, 465, 587), and unnecessary destination ports should be blocked. Least access model firewall rules around a DMZ can inhibit attackers from gaining unauthorized access, as unexpected port traffic should be blocked by default."
But patching Exim software is clearly a critical first step -- one that should have been done nearly a year ago.
"This emphasizes the need for a good vulnerability management plan. CVE-2019-10149 has been out almost a year now and has a CVSS score above 9, making it a critical vulnerability," said Lamar Bailey, senior director of security research at Tripwire. "High-scoring vulnerabilities on a production email server are high risk and there should be plans in place to remediate them ASAP."
"The NSA's revelation that a Russian military group is targeting an open source vulnerability -- reported nearly a year ago -- is an extreme example of what can happen when businesses don’t practice proper software hygiene," said e-mailed commentary from DevOps automation company Sonatype. "The incident once again brings software hygiene to the fore, and underscores the urgent need for businesses to maintain a 'software bill of materials' to manage, track and monitor open-source software components in their applications, and to identify, isolate and remove vulnerabilities like this one. Without one, they're in a race against time to try and find the flaw before their adversaries do."