Sandworm Group Responsible for Exim MTA Attack, NSA Warns

Posted on May 29, 2020 at 1:41 PM

Sandworm Group Responsible for Exim MTA Attack, NSA Warns

The National security Agency (NSA) has warned organizations yesterday that a sophisticated hacking syndicate has been exploiting a flaw found in commonly used email software.

The hacking group, known as the Sandworm team, is sponsored by the Russian government as they try to utilize the software for a comprehensive hack to infiltrate important organizations.

The Cybersecurity Directorate of the NSA said the hacking syndicate is from Russia’s military intelligence agency. The cybercriminals are exploiting a weakness in the MTA email software, and reports revealed this has been happening since August 2019.

The NSA advisory revealed that the Russian state actors have exploited the vulnerability to disable network security, add privileges, and execute additional scripts for future attacks.  The attack will most likely succeed in any network that uses an unpatched version of the Exim MTA email software.

Users should update their software immediately

NSA has advised users to quickly get their software updated to prevent further exposure to the attack. The agency also warned that any user who still has the outdated version in their network would be susceptible to attacks from the state actor.

The Sandworm malware group is a notorious hacking group that has existed for the past ten years. The gang has been responsible for various large scale attacks in the cyber world, particularly in government organizations.

“When the patch was released last year, Exim urged its users to update to the latest version,” the agency says. It also encouraged users who are affected to immediately install the patch to keep their network safe.

The sophisticated hacking group has been linked with various expansive attacks in telecommunications, energy, and cyberattacks on governments in Poland and Ukraine, as well as on the European Union and NATO.

The hacking syndicate was also involved in the NotPetya attacks in 2017, where billions of dollars were damaged across Asia, the United States, and Europe.

In February, Sandworm was blamed for the huge attack on private and government websites in Georgia.

Vulnerability is a very dangerous one

According to Chairman of Silverbird Policy Accelerator and founder of cybersecurity firm CrowdStrike, Dmitri Alperovitch, the email MTA email vulnerability is a very dangerous one. It can usher in one of the most sophisticated cyber actors to take control of the inner sanctum of both government and corporate networks. This may be catastrophic if the hacker succeeds in infiltrating a very important government organization.

He said it’s a good thing the NSA has taken it upon itself to warm organizations which shows the level of threat this state actor can pose through the vulnerability.

As a result, it’s important for organizations to prioritize defense and make serious efforts to mitigate any type of cyber threat, he said.

Other hacking groups could follow in Sandworm’s steps

President of the security firm Cyber Threat Alliance, Michael Daniel, also added his view about the vulnerability and the likelihood of others joining the hacking train. He said with the current nature of the vulnerability, other actors may likely follow the route of the government-backed Russian hackers.

Since the Russians are exploiting the vulnerability, it may also mean other actors are taking advantage of it as well. He further stated that if any hacking syndicate can carry out these attacks on networks, the organization would have little or nothing to do to stop them. That’s why it’s important to always get the latest software update installed before they explore the network.

Michael also agreed that the recommended patch by NSA is an effective one.

NSA determined against sophisticated cyber attacks

NSA recently restructured and re-launched its Cybersecurity Directorate in October last year. The agency has intensified its efforts to disseminate more unclassified threat information as quickly as possible.

It will enable private sectors and organizations to provide better and immediate protection against these attacks. The agency has set up a new Twitter account @NSACyber for updates and alerts of serious security threats against organizations.

Share this:

Related Stories:


Get the latest stories straight
into your inbox!


Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading