A notorious hacking team backed by the Russian government has been exploiting a serious flaw in commonly used email software, the National Security Agency (NSA) warned Thursday, issuing a rare advisory that publicly attributed attempts to utilize the software flaw to a nation-state actor.
The NSA's Cybersecurity Directorate said a group of cyber actors known as "Sandworm team" from the GRU, Russia's military intelligence agency, had identified and exploited a vulnerability in the popular email software Exim Mail Transfer Agent (MTA) since at least August 2019.
"The Russian actors … have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker's dream access – as long as that network is using an unpatched version of Exim MTA," the advisory said.
The agency advised users to immediately update the software and warned that any outdated versions would likely remain vulnerable to attack.
"When the patch was released last year, Exim urged its users to update to the latest version. NSA adds its encouragement to immediately patch to mitigate against this still current threat," it said.
Sandworm is known to have operated for at least a decade and has been linked to large-scale cyberattacks on government, energy and telecommunications sectors in Ukraine and Poland, as well as on NATO and the European Union. The group was determined to be behind the devastating 2017 NotPetya attacks, which caused billions of dollars of damage across Europe, the United States and Asia. In February, the State Department publicly blamed Sandworm for a widespread cyberattack on government and private websites in the country of Georgia.
"This is a dangerous vulnerability that can provide an entryway for one of the most threatening cyber actors into the inner sanctum of corporate and government networks," said Dmitri Alperovitch, co-founder and former chief technology officer of cybersecurity firm CrowdStrike and chairman of Silverado Policy Accelerator.
"It is an important sign that NSA is now providing this highly relevant context about which adversary is exploiting this vulnerability that is highly helpful for defenders to prioritize defense and other mitigation efforts," Alperovitch said.
Michael Daniel, president of the Cyber Threat Alliance and cybersecurity coordinator in the Obama administration, said other cyber actors were also likely to follow the Russians' lead.
"If an adversary can carry out these actions on your network, they can do whatever they want and you have very limited ability to detect or stop them," Daniel said. "If the Russians are exploiting this vulnerability, then other actors are either using it, too – or they soon will," he said, noting the recommended patch was a simple and effective fix.
The NSA's Cybersecurity Directorate, which was restructured and newly launched last October, has been charged with disseminating more unclassified threat information more quickly, so that private sector entities can take steps to protect themselves from cyber attacks.
In January, the directorate announced a critical flaw in Microsoft's Windows 10 operating system. It notably disclosed the vulnerability to the company instead of using it to carry out cyber activities of its own, as had been its practice in the past.
The NSA on Wednesday launched a new Twitter account, @NSACyber, where news of the Exim vulnerability was also announced.