Let me remind you that, according to experts, Sandworm has been active since about the mid-2000s. It is believed that this particular group developed the BlackEnergy malware, which caused a blackout in Ukraine, and the group may also be associated with the notorious NotPetya cryptographer.
The NSA reports that since August 2019, Sandworm hackers have been attacking mail servers running Exim's messaging agent. For hacking, attackers use the critical vulnerability CVE-2019-10149, discovered last summer and immediately adopted by many attackers.
Almost half of the mail servers are running Exim. According to statistics, as of May 1, 2020, only half of all Exim servers have been updated to version 4.93 or later. That is, there are still plenty of targets for attacks.
After hacking, compromised servers load and execute a special shell scriptwhich is capable of:
- Add privileged users
- disable network security settings;
- upgrade SSH configurations to give hackers additional remote access;
- execute another script to continue the attack.
The NSA reminds private and government organizations of the need to upgrade Exim servers to version 4.93, and also that it would not be out of place to look for compromise indicators available in the agency’s warning.