The National Security Agency in the United States of America has revealed that Russian cyber actors from the GRU Main Center for Special Technologies have been exploiting a vulnerability in Exim Mail Transfer Agent (MTA) software since at least August 2019. The cyber actors responsible for this malicious cyber programme are known publicly as the Sandworm team.
Sandworm could then add privileged users, disable network security settings, update SSH configurations to enable additional remote access and execute an additional script to enable follow-on exploitation.
Yana Blachman, Threat Intelligence Specialist, Venafi, said:“A new wave of Sandworm attacks is deeply concerning. Highly sophisticated APT groups can use SSH capabilities to maintain undetected remote access to critical systems and data, allowing attackers to do nearly anything from circumventing security controls, injecting fraudulent data, subverting encryption software and installing further payload.
“There has been a rise in both malware and APT campaigns that leverage SSH, but unfortunately, organisations routinely overlook the importance of protecting this powerful asset. Hopefully, this warning from the NSA will force organisations to review how they’re protecting SSH capabilities before cyber attackers make their move.”Click below to share this article