Security News > 2020 > May > NSA Publishes IOCs Associated With Russian Targeting of Exim Servers
The U.S. National Security Agency on Thursday published information on the targeting of Exim mail servers by the Russia-linked threat actor known as Sandworm Team.
The open-source Exim mail transfer agent is used broadly worldwide, powering more than half of the Internet's email servers and also being pre-installed in some Linux distributions.
"The Russian actors, part of the General Staff Main Intelligence Directorate's Main Center for Special Technologies, have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker's dream access - as long as that network is using an unpatched version of Exim MTA," the NSA says.
According to the NSA's advisory, Sandworm Team has been targeting unpatched Exim mail servers, on their victims' public facing MTAs, by sending a command in the MAIL FROM field of an SMTP message.
"Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used. Using a previous version of Exim leaves a system vulnerable to exploitation," the NSA warns.