Security News > 2020 > May > NSA Warns of Sandworm Backdoor Attacks on Mail Servers
The Russia-linked APT group Sandworm has been spotted exploiting a vulnerability in the internet's top email server software, according to the National Security Agency.
Exim is the default MTA included on some Linux distros like Debian and Red Hat, and Exim-based mail servers in general run almost 57 percent of the internet's email servers, according to a survey last year.
The bug would allow an unauthenticated remote attacker to execute commands with root privileges on an Exim mail server, allowing the attacker to install programs, modify data and create new accounts.
The flaw can be exploited using a specially crafted email containing a modified "MAIL FROM" field in a Simple Mail Transfer Protocol message.
Once Sandworm compromises a target Exim server, it subsequently downloads and executes a shell script from a Sandworm-controlled domain to establish a persistent backdoor that can be used for reconnaissance, spying on mail messages, lateral movement and additional malware implantation.
News URL
https://threatpost.com/nsa-sandworm-spy-attacks-exim-mail-servers/156125/
Related news
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks (source)
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- China’s infosec leads accuse Intel of NSA backdoor, cite chip security flaws (source)
- Intel robustly refutes China's accusations it bakes in NSA backdoors (source)
- Intel hits back at China's accusations it bakes in NSA backdoors (source)
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)