Several vulnerabilities have been exploited by Russia-linked hackers affecting the Exim mail transfer agent (MTA) and administrators have been urged to patch immediately, but hundreds of thousands of servers remain unpatched.
Last week, the U.S. National Security Agency ( NSA) released an warning advising users to upgrade their Exim servers to version 4.93 or newer, as older versions are affected by vulnerabilities exploited by a group of hackers with links to the Russian Army.
The NSA mentioned CVE-2019-10149, a vulnerability in Exim that allows execution of remote code as the root. The flaw was patched with the release of version 4.92 in February 2019, but in May 2019 it was only identified as a vulnerability, and its impact was made public the following month. It has been exploited since at least August 2019 by Russian State-sponsored hackers, according to the NSA.
However, RiskIQ, a threat intelligence company, says there are two other vulnerabilities in Exim that were exploited in the same campaign: CVE-2019-15846, a vulnerability in remote code execution patched in September 2019 that affects version 4.92.1 and earlier, and CVE-2019-16928, a vulnerability in DoS and code execution affecting versions 4.92 through 4.92.2.
RiskIQ has said it detected more than 900,000 vulnerable Exim servers over the course of May. While Exim 4.92, which patches CVE-2019-10149, is run by a majority, the other two vulnerabilities still expose servers to attacks, which is probably why the NSA has advised users to upgrade to version 4.93.
RiskIQ reported that the number of vulnerable servers decreased steadily in May but hundreds of thousands of vulnerable servers still exist.
At present, a Shodan search shows over one million Exim servers running version 4.92 and more than 250,000 instances running version 4.91.
The threat group that exploits these vulnerabilities is tracked as Sandworm and TeleBots, and is linked to the General Staff Main Intelligence Directorate of Russia (GRU). Although the NSA has not released any information on the aims of this campaign, it is known that Sandworm is attacking a wide range of organizations in Europe and the United States.