'Dream access' vulnerability as US NSA warns The Return of the WIZard is back

News by Andrew McCorkell

Potential for major damage with Exim machines likely to be exposed while experts warn more 'aggressive and brazen' threats are likely.

The Russia-linked APT group known as the Sandworm Team has been exploiting a critical flaw in the Exim mail transfer agent (MTA) software from August 2019, the US National Security Agency (NSA) has warned.

The flaw, known as “The Return of the WIZard,” affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software.

John Hultquist, senior director of analysis, Mandiant Threat Intelligence said: "Sandworm Team, the actor referenced in the NSA advisory, is one of the most aggressive and brazen actors we track. They were responsible for turning the power off in Ukraine twice, and carrying out the most expensive attack in history, the NotPetya attacks.

"They interfered in the 2016 US elections as well as French elections, and they demonstrated their contempt for the international community when they brazenly attempted to disrupt the Olympic Games in Pyeongchang. Any warning regarding their activity should be prioritised by defenders and taken very seriously.”

Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well.

The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code.

Jake Moore, a cybersecurity specialist at ESET said: “Even the NSA describes this as an attacker’s dream access, proving yet again that the Sandworm Team are one of the more elite APT actors at finding a vulnerability.

“A lot of Exim machines are likely to be exposed to inside sensitive controlled environments that are potentially being used for monitoring or reporting. Losing control of this could potentially give away access to this extremely sensitive environment and cause major damage.

“Moreover, being exposed for quite some time leaves them vulnerable to more threats, so taking measures to mitigate this risk might be more difficult than a simple update if the weakness has already been exploited.

“That said, and acting as a timely reminder, it is highly recommended that those affected update Exim immediately by installing version 4.93 or newer to reduce those risks and other possible vulnerabilities.”

An NSA advisory says: “Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August."

The advisory added that: "The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”

When the patch was released last year, Exim urged its users to update to the latest version, the advisory said, adding that NSA advises that organisations immediately patch to mitigate against this still current threat.

David Emm, principal security researcher at Kaspersky said: “Businesses come in all shapes and sizes, but in today’s world, no organisation, large or small, can afford to ignore online security. The vulnerability reported by the NSA is a worrying reminder that we must remain vigilant and aware of ongoing, potential threats. 
"Kaspersky recommends anyone using Exim MTA should follow advice and upgrade to version 4.93 or later. Overall, organisations should prioritise the security of their networks and install all necessary patches on time, in order to avoid future damage.
"Although businesses have no direct control over the growth of cybercrime, by taking simple steps to secure their internal systems, they can reduce their exposure to attack.”

For more information read Cybersecurity Advisory "Sandworm Actors Exploiting Vulnerability in Exim Mail Transfer Agent

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews