The National Security Agency has identified Russian military cyber actors – part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST) – have exploited a vulnerability in Exim mail transfer agent (MTA) software since at least August 2019.
Exim is a MTA software for Unix-based systems that comes pre-installed on some Linux distributions. Publicly known as Sandworm Team, the cyber actors exploited a vulnerability in the software that “allows a remote attacker to execute commands and code of their choosing.” This allowed the GRU cyber actors to add privileged users, disable network security settings, and execute additional scripts to further exploit, NSA said.
“When [a] patch was released last year, Exim urged its users to update to the latest version. NSA adds its encouragement to immediately patch to mitigate against this still current threat,” NSA said.