Half the world’s email servers powered by EXIM is vulnerable to hacking by Russian hacking group Sandworm using “Return of the WIZard” vulnerability
If you are a noob, you probably don’t know about Exim email servers. These Exim email servers power half the world’s email systems and are vulnerable to a critical vulnerability identified as “Return of the WIZard” or CVE-2019-10149. What makes it doubly potent is that a known Russia sponsored hacking group, Sandworm is exploiting this vulnerability to gain access to the Exim email servers.
The severity of the vulnerability can be gauged by the fact that the premier United States spying agency, NSA has issued a security alert naming Russia for the first time. The US National Security Agency (NSA) has warned of Russian backed Sandworm hacking attacks against Exim email servers using the Return of the WIZard vulnerability.
What is an Exim email server?
Exim is a mail transfer agent (MTA) which is software that runs on email servers to relay emails from senders to recipients. It is used by nearly half of the world’s email services including Microsoft. Exim is a general and flexible mailer with extensive facilities for checking incoming e-mail. Exim 4 is currently the default MTA on Debian GNU/Linux systems.
What is the Return of the WIZard or CVE-2019-10149 vulnerability?
The CVE-2019-10149 or Return of the WIZard vulnerability was discovered in Exim mail servers in June 2019. It impacts nearly half the email servers in the world. The vulnerability was discovered by Qualys, a cyber-security firm that found that the vulnerability affects Exim installations running versions 4.87 to 4.91. The Return of the WIZard vulnerability is described as a remote command execution — different, but just as dangerous as a remote code execution flaw — that lets a local or remote attacker run commands on the Exim server as root.
Qualys said the vulnerability can be exploited instantly by a local attacker that has a presence on an email server, even with a low-privileged account. The vulnerability allows hackers to remotely scan the internet for vulnerable servers, and take over systems. The vulnerability was exploited by hackers just two weeks after it was discovered as it was pretty easy to exploit. “To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes),” researchers said. The vulnerability was accidentally patched with the release of Exim 4.92 but at the time the Exim team didn’t know they fixed a major security hole.
However, many of the world’s email services have not upgraded their systems to Exim 4.92 leaving their Exim powered email servers vulnerable to the Return of the WIZard vulnerability.
Who are the Sandworm hacking group?
Sandworm hacking group is a Russian state-sponsored hacking enterprise. Sandworm consists of the members of elite Russian hacking Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service.
Sandworm has been quite active in hacking anti-Russia services. Sandworm hacking group had targeted industrial control systems using a tool called Black Energy, The Black Energy tool has been associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Sandworm has also been accused of hacking the Ukrainian electrical grid in 2015. It also DDoSed Ukraine’s electrical grid just before Russia invaded Georgia.
NSA believes Sandworm is active in exploiting the Return of the WIZard vulnerability in the EXIM mail transfer agent since July 2019 after the vulnerability was disclosed by Qualys. “When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” the NSA report says.
This shell script would:
- Add privileged users
- Disable network security settings
- Update SSH configurations to enable additional remote access
- Execute an additional script to enable follow-on exploitation
The NSA is now warning private and government organizations to update their Exim servers to version 4.93 and look for signs of compromise by following this tweet:
How can you tell if your Exim server was owned by RU using CVE-2019-10149? Check your @Zeekurity #networksecuritymonitoring logs. Look at that lovely unencrypted HTTP callback. Zeek would likely have conn, HTTP, SMTP entries, and possibly files as well. https://t.co/E9RAeyaY7T pic.twitter.com/OTMLh9R0Z5
— Richard Bejtlich (@taosecurity) May 28, 2020
According to NSA, nearly half of the world’s email servers are vulnerable to the Sandworm’s hacking attacks. This stats from May 1, 2020, reveals that only half of all Exim servers have been updated to version 4.93, or later.