Warning Intelligence

NSA Warning about EXIM Transfer vulnerability


On the evening of May 28, 2020, the National Security Agency (NSA) released a security advisory to the public warning about increased cyber operations carried out by Russia’s General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST). According to this advisor, the GRU hackers increased targeting operations against Exim Mail Transfer Agent (MTA) in Unix-based systems. The specific exploited vulnerability was CVE-2019-10149, which allows a remote attacker to execute commands and code of their choosing. Notes: https://www.nsa.gov/News-Features/News-Stories/Article- View/Article/2196511/exim-mail-transfer-agent-actively-exploited-by-russian-gru- cyber-actors/

The NSA identified several TTPs (Tactics, Techniques, and Procedures) being used by the GRU hackers to exploit this vulnerability:

  • Add privileged users to the system
  • Disable network security settings
  • Update SSH config to enable additional remote access
  • Execute additional scripts for further network exploitation

How to Avoid This Vulnerability

There are several recommended mitigation strategies which range from near-term to longer-term actions (U/OO/140757-20)

  • Upgrade to the latest version of Exim: This is by far the most low-hanging fruit when it comes to hardening any enterprise. Ensuring that the hardware and software running across your organization is up-to-date is pivotal threat mitigation.
  • Internal Detection and Unauthorized Changes: Network-based security monitoring to detect or block CVE-2019-10149 exploit attempts should implement. Snort rule 1-50356 alerts on exploit attempts. If your organization does not have an Intrusion Detection System (IDS) in place, Snort is a free alternative that is very robust and effective.
  • Defense-in-depth Security Strategy: Network segmentation strategies to limit the access rights of public-facing software is critical to mitigation an adversary’s ability to exploit the perimeter and then further launch internal network attacks. Setting up a DMZ for this public-facing software and implementing appropriate firewall rules is essential to network segmentation.

Indicators of Compromise (IOCs)

Organizations should consider searching server and firewall logs for the following IOCs which the NSA has associated with the GRU hackers’ operations to exploit the Exim vulnerability:

  • 95.216.13[.]196
  • 103.94.157[.]5
  • hostapp[.]be

U.S. Threat Surface for Exim Exploitation

Our team has been monitoring the presence of known Exim vulnerabilities across global internet infrastructure. In the U.S. alone, there are over 216,067 potential opportunities for GRU hackers to exploit this software vulnerability.

The below graphic shows the number of vulnerabilities, per state, in the top 50 most vulnerable states, relative to Exim CVE-2019-10149. Out of the sample of affected infrastructure our team reviewed, every one of the affected had more vulnerabilities present than just the CVE-2019-10149. Most had at least two additional vulnerabilities present in the infrastructure. Almost all were present due to outdated software.

Leave a Reply

Your email address will not be published. Required fields are marked *

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

Cybeta Sentinel will use the information you provide on this form to be in touch with you and to provide updates and marketing.