Security News > 2020 > May > NSA Warns of Sandworm Backdoor Attacks on Mail Servers
The Russia-linked APT group Sandworm has been spotted exploiting a vulnerability in the internet's top email server software, according to the National Security Agency.
Exim is the default MTA included on some Linux distros like Debian and Red Hat, and Exim-based mail servers in general run almost 57 percent of the internet's email servers, according to a survey last year.
The bug would allow an unauthenticated remote attacker to execute commands with root privileges on an Exim mail server, allowing the attacker to install programs, modify data and create new accounts.
The flaw can be exploited using a specially crafted email containing a modified "MAIL FROM" field in a Simple Mail Transfer Protocol message.
Once Sandworm compromises a target Exim server, it subsequently downloads and executes a shell script from a Sandworm-controlled domain to establish a persistent backdoor that can be used for reconnaissance, spying on mail messages, lateral movement and additional malware implantation.
News URL
https://threatpost.com/nsa-sandworm-spy-attacks-exim-mail-servers/156125/
Related news
- New NachoVPN attack uses rogue VPN servers to install malicious updates (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Over 3 million mail servers without encryption exposed to sniffing attacks (source)
- Over 660,000 Rsync servers exposed to code execution attacks (source)