KEY NOTES FROM THIS POST
A report by the Cybeta Threat Research Team
GRU hackers increased targeting operations against Exim Mail Transfer Agent (MTA) in Unix- based systems.
Organizations should consider searching server and firewall logs for the relevant IOCs.
In the U.S. alone, there are over 216,067 potential opportunities for GRU hackers to exploit this software vulnerability.
NSA WARNING ABOUT RUSSIA’S MILITARY HACKERS ATTACKING EXIM MAIL TRANSFER AGENT VULNERABILITY
On the evening of May 28, 2020, the National Security Agency (NSA) released a security advisory to the public warning about increased cyber operations carried out by Russia’s General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST). According to this advisor, the GRU hackers increased targeting operations against Exim Mail Transfer Agent (MTA) in Unix-based systems. The specific exploited vulnerability was CVE-2019-10149, which allows a remote attacker to execute commands and code of their choosing. (Notes: https://www.nsa.gov/News-Features/News-Stories/Article- View/Article/2196511/exim-mail-transfer-agent-actively-exploited-by-russian-gru-cyber-actors/)
The NSA identified several TTPs (Tactics, Techniques, and Procedures) being used by the GRU hackers to exploit this vulnerability:
- Add privileged users to the system
- Disable network security settings
- Update SSH config to enable additional remote access
- Execute additional scripts for further network exploitation
How to avoid this vulnerability?
There are several recommended mitigation strategies which range from near-term to longer-term actions (U/OO/140757-20)
Upgrade to the latest version of Exim: This is by far the most low-hanging fruit when it comes to hardening any enterprise. Ensuring that the hardware and software running across your organization is up-to-date is pivotal threat mitigation.
Internal Detection and Unauthorized Changes: Network-based security monitoring to detect or block CVE-2019-10149 exploit attempts should implement. Snort rule 1-50356 alerts on exploit attempts. If your organization does not have an Intrusion Detection System (IDS) in place, Snort is a free alternative that is very robust and effective.
Defense-in-depth Security Strategy: Network segmentation strategies to limit the access rights of public-facing software is critical to mitigation an adversary’s ability to exploit the perimeter and then further launch internal network attacks. Setting up a DMZ for this public-facing software and implementing appropriate firewall rules is essential to network segmentation.
Indicators of Compromise (IOC)
Organizations should consider searching server and firewall logs for the following IOCs which the NSA has associated with the GRU hackers’ operations to exploit the Exim vulnerability:
U.S. Threat Surface for Exim Exploitation
Our team has been monitoring the presence of known Exim vulnerabilities across global internet infrastructure. In the U.S. alone, there are over 216,067 potential opportunities for GRU hackers to exploit this software vulnerability.
The below graphic shows the number of vulnerabilities, per state, in the top 50 most vulnerable states, relative to Exim CVE-2019-10149. Out of the sample of affected infrastructure our team reviewed, every one of the affected had more vulnerabilities present than just the CVE-2019-10149. Most had at least two additional vulnerabilities present in the infrastructure. Almost all were present due to outdated software.
Cybeta is a cybersecurity data science firm focused on developing advanced analytics for early indications and warning of potential or emerging cyber-attacks. Our flagship product, Threat Beta, has been independently verified and validated to provide accurate forecasting of future breach exposure.
Cybeta works with various data providers as well as through our own deployment of network sensors to provide a continuous stream of near-real time data for our analytics and prediction engine. By providing corporate executives and government officials with advanced insights into future attack potential, we are enabling organizations to make the shift towards an active defense cybersecurity strategy.