26 Jun 2020

Cybersecurity Alerts Highlight a Critical Vulnerability and an Important Reminder

Ashli LoppNews  

Both the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued warnings about a critical vulnerability in email servers. Learn about this vulnerability and an important reminder highlighted by the alerts.

Usually the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issue alerts when new cybersecurity threats emerge. But on May 28, 2020, these agencies did something different. They issued alerts for cyberattacks that have been occurring for nearly a year.

Back on May 27, 2019, a critical vulnerability (CVE-2019-10149) was found in Exim mail transfer agents (MTAs), versions 4.87 to 4.91. (MTAs are used to transfer emails between senders’ and recipients’ computing devices.) Exim quickly patched the vulnerability, releasing it to the public just nine days later on June 5, 2019. The vulnerability was disclosed to the public on that day as well.

Less than a week after its disclosure, hackers began exploiting the vulnerability in unpatched Exim email servers. The attacks continued, prompting companies like Microsoft to issue alerts. The situation escalated in August 2019, when Russian military cyber actors known as Sandworm began exploiting it, according to the NSA. Sandworm used the vulnerability to add privileged users, disable network security settings, change configurations to enable additional remote access, and execute other malicious code.

Since August 2019, Sandworm has continued to exploit the CVE-2019-10149 vulnerability, prompting both the NSA and CISA to issue their May 28, 2020, advisories. Sandworm has had many targets from which to choose. More than 75,000 email servers are still running the unpatched versions of Exim (versions 4.87 to 4.91).

Therein lies the problem. Had organizations patched their email servers by upgrading to at least version 4.92, Sandworm would not have had any servers to hack the last 10 months. So, if your company’s email server is using the Exim MTA, make sure it is upgraded to version 4.92 or later.

Just as important, no matter whether your company is using Exim MTA or not, make sure that all your software on all your computing devices is up to date. Patching known vulnerabilities is a crucial component in protecting your business from cyberattacks.

Leave a Reply

Your email address will not be published. Required fields are marked *