Threat Advisory: Sandworm Actors Exploiting Exim Vulnerability

May 29, 2020

A critical remote code execution vulnerability is actively being scanned for and exploited across the Internet. Herjavec Group initially published a Threat Advisory for CVE-2019-10149, known as “Return of the WIZard”, when it was discovered in June 2019.

Recently, the NSA published an updated advisory regarding Sandworm threat group operators exploiting the same vulnerability in the Exim Mail Transfer Agent (MTA).

The group has been exploiting the vulnerability since August 2019.

The Exim MTA is commonly used for Unix-based systems and comes pre-installed on some Linux distributions. The vulnerability in the Exim MTA allows an unauthenticated remote attacker to execute commands with root privileges by sending a specially crafted email that contains a command within the "MAIL FROM" field in the SMTP (Simple Mail Transfer Protocol) message. Upon successful exploitation, the attacker can install programs, modify data, and create new accounts.

Sandworm exploitations download and execute a script from a Sandworm-controlled domain. The script attempts to add privileged users, disable network security settings, update SSH configurations to allow remote access, and execute an additional script for further exploitation.

Mitigations for the Exim Vulnerability

Exim has released an update for version 4.93 and newer to mitigate the vulnerability. Users should download the most updated version of the software to avoid being exploited by known vulnerabilities. Organizations can install updates either via the Linux distribution's package manager or by downloading the latest version from Exim.

In addition, the principle of least access should be applied to any public-facing software such as MTAs, as this can help prevent exploitation attempts from being successful.

Herjavec Group strongly recommends implementing the following best practices:

  • Networks should be segmented into zones based on roles and requirements.
  • Public-facing MTAs should be isolated from sensitive internal resources in a demilitarized zone (DMZ).
  • Firewall rules should be used to block unexpected traffic from reaching internal resources.
  • MTAs should only be allowed to send outbound traffic to necessary ports, with other ports blocked.
  • System modifications, such as additional accounts and SSH key, should be verified.
  • Review network security logs from devices protecting Exim servers to identify exploitation and ensure network-based protection for Exim servers.

IOCs Associated with Sandworm

The following IP addresses and domains have been found to be associated with the Sandworm threat group:

  • 95.216.13.196
  • 103.94.157.5
  • hostapp[.]be

Herjavec Group Vulnerability Management clients can reference their latest reports for CVE-2019-10149. We are reviewing the most recent scan data and will escalate patches as required.

Herjavec Group is proactively ensuring that applicable signatures are up to date for our Managed Security Services Customers.  We are actively engaged with all technology product updates relating to CVE-2019-10149.

If your organization has been affected by the vulnerability, please contact us for Incident Response or compromise assessment support as needed. 


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn