NSA warns of new Sandworm attacks
The U.S. security agency, the NSA said recently that Agent Exim's email servers were targeted by cyber criminals.
Hackers believed to be Russian nationals, who have been planning to install backdoors since 2019.
This article will also interest you: Some tips from Edward Snowden on the digital giants
Last Friday, the NSA issued a security alert. The alert warned of new hacking companions including the target and servers dedicated to messaging. The U.S. National Security Agency accuses Russia of being behind cybercrime. Indeed, it indicates that the hackers behind these acts of cyber malice would be part of a cyberespionage unit, the most advanced of the Russian state. The unit referred to here is 74455 of the GRU Main Center for Special Technologies (GTsST), known as a branch of the intelligence service of the Russian army. She is believed to have been involved in the attack on the email servers of Exim, a mail transfer company.
The group of hackers indexed by the NSA also calls itself SandWorm. The U.S. agency says it has been targeting Exim since mid-2019. Cyberattacks that revolved around exploiting a security breach like CVE-2019-10149. "When Sandworm operated CVE-2019-10149, the victim machine downloaded and then executed a shell script from a Sandworm-controlled domain," the NSA explains. With this malicious script, cybercriminals could then:
– Add users with admin privileges;
– Put network security configurations out of use;
– Update SSH configurations to create remote access for their faces;
– Run another program for the future.
The U.S. security agency has warned government organizations and private organizations to update their Exim agent servers and turn to version 4.93. the NSA also advises to conduct security audits in order to look for potential vulnerabilities and potential cases where signs of compromise. To this end, it provides organizations with compromise indicators that are available in the published PDF.
In addition, it should be noted that the group called Sandworm has been active since the 2000s. Some cybersecurity experts even accuse him of being behind the malware known as BlackEnergy, a malware that has caused enormous damage to Ukraine's energy sectors. Causing a major power outage in December 2015 and 2016. But what we know for sure is that this group is at the origin of one of the famous malwares that never existed: the famous ransomware NotPetya. A malware that has cost billions of dollars to several companies around the world.
Moreover, it should be noted that Sandworm is, according to the Media in the West, as one of the most advanced groups, financed by the Russian state, along with the hacker group "Turla". In addition, the security flaw (CVE-2019-10149) that the Sandworm Group is trying to take advantage of has been discovered since June last year. The American giant, Microsoft at that time, had started issuing alerts, explaining to customers of its cloud service, Microsoft Azure, that a malware had been developed and that threatened Exim servers. The goal was to take over the cloud infrastructure of the Redmond firm.
Now access an unlimited number of passwords: