A Russian government-backed hacking group has been quietly exploiting a critical remote code execution vulnerability in Exim email servers since 2019, the U.S. "That's why we're bringing this notification out", said Doug Cress, chief of the cybersecurity collaboration center and directorate at NSA, in an advisory.
The vulnerability was introduced in a June 2019 update, NSA says, and was remediated in the most recent version of the software.
The NSA is urging users to patch the flaw immediately in light of Sandworm's exploitation.
The timing of the NSA's advisory is a bit unusual though as the critical vulnerability in Exim was identified 11 months ago and a patch has already been released to fix the issue.More news: Amid standoff, China builds road to mineral rich area
When Sandworm exploits the vulnerability, victim machines download and execute a shell script from a Sandworm-controlled domain, according to the NSA.
Exim is so widely used - though far less known than such commercial alternatives as Microsoft's proprietary Exchange - that some companies and government agencies that run it may still not have patched the vulnerability, said Jake Williams, president of Rendition Infosec and a former USA government hacker.
It is the most widely used MTA and is deployed on over half of all Internet-facing mail servers.
The cybersecurity research community refers to this same hacking group as "Sandworm", and has previously connected it to disruptive cyberattacks against Ukrainian electric production facilities.More news: Apple Sells Refurbished iPhone XR Variants Directly From its Website
It took Williams a few minute of on-line probing on Thursday to discover a doubtlessly susceptible authorities server within the UK.
Jack Mannino, CEO of security firm nVisium, notes: "Gaining root access within an organization's perimeter gives an attacker the ability to exfiltrate sensitive data and access other important internal systems without being detected".
In addition to patching unsecured Exim software, the NSA recommends system administrators routinely monitor for unauthorized system modification.
The agency said the hacking activity was tied directly to a specific unit within Russia's Main Intelligence Directorate. In October 2019, Western intelligence agencies linked the group to a cyberattack that targeted the country of Georgia, crippling at least 2,000 government, news media and court websites over the course of one day (see: US, UK Blame Russia for Cyberattack in Country of Georgia).More news: SpaceX Crew Dragon capsule completes docking at International Space Station
Sandworm brokers, tied to Russia's GRU navy intelligence arm, brought on nice injury to the 2016 U.S. presidential election, stealing and exposing Democratic National Committee emails and breaking into voter registration databases.