Security News > 2020 > May > NSA Warns of Sandworm Backdoor Attacks on Mail Servers
The Russia-linked APT group Sandworm has been spotted exploiting a vulnerability in the internet's top email server software, according to the National Security Agency.
Exim is the default MTA included on some Linux distros like Debian and Red Hat, and Exim-based mail servers in general run almost 57 percent of the internet's email servers, according to a survey last year.
The bug would allow an unauthenticated remote attacker to execute commands with root privileges on an Exim mail server, allowing the attacker to install programs, modify data and create new accounts.
The flaw can be exploited using a specially crafted email containing a modified "MAIL FROM" field in a Simple Mail Transfer Protocol message.
Once Sandworm compromises a target Exim server, it subsequently downloads and executes a shell script from a Sandworm-controlled domain to establish a persistent backdoor that can be used for reconnaissance, spying on mail messages, lateral movement and additional malware implantation.
News URL
https://threatpost.com/nsa-sandworm-spy-attacks-exim-mail-servers/156125/
Related news
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- New HTTP/2 DoS attack can crash web servers with a single connection (source)
- XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor (source)
- Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (source)
- Russian APT Deploys New 'Kapeka' Backdoor in Eastern European Attacks (source)
- New attack leaks VPN traffic using rogue DHCP servers (source)
- Kimsuky hackers deploy new Linux backdoor in attacks on South Korea (source)
- Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks (source)
- MS Exchange Server Flaws Exploited to Deploy Keylogger in Targeted Attacks (source)
- Suspected supply chain attack backdoors courtroom recording software (source)