Security News > 2020 > May > NSA Warns of Sandworm Backdoor Attacks on Mail Servers
The Russia-linked APT group Sandworm has been spotted exploiting a vulnerability in the internet's top email server software, according to the National Security Agency.
Exim is the default MTA included on some Linux distros like Debian and Red Hat, and Exim-based mail servers in general run almost 57 percent of the internet's email servers, according to a survey last year.
The bug would allow an unauthenticated remote attacker to execute commands with root privileges on an Exim mail server, allowing the attacker to install programs, modify data and create new accounts.
The flaw can be exploited using a specially crafted email containing a modified "MAIL FROM" field in a Simple Mail Transfer Protocol message.
Once Sandworm compromises a target Exim server, it subsequently downloads and executes a shell script from a Sandworm-controlled domain to establish a persistent backdoor that can be used for reconnaissance, spying on mail messages, lateral movement and additional malware implantation.
News URL
https://threatpost.com/nsa-sandworm-spy-attacks-exim-mail-servers/156125/
Related news
- New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks (source)
- Hitachi Vantara takes servers offline after Akira ransomware attack (source)
- Samsung MagicINFO 9 Server RCE flaw now exploited in attacks (source)
- Chinese hackers behind attacks targeting SAP NetWeaver servers (source)
- Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers (source)
- Chinese Hackers Deploy MarsSnake Backdoor in Multi-Year Attack on Saudi Organization (source)
- China-Linked Hackers Exploit SAP and SQL Server Flaws in Attacks Across Asia and Brazil (source)
- Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks (source)