NSA flags email vulnerability

Since at least August of last year, Russian hackers have been taking advantage of a longstanding vulnerability in a commonly used email delivery software, according to the National Security Agency.

The flaw, which NSA said allows "pretty much any attacker’s dream access," gives hackers the ability to turn off network security, add privileged users and enable remote connections and subsequent penetrations.

A Russian military intelligence team called Sandworm is responsible, NSA said, for leveraging a flaw in the Exim Mail Transfer Agent software – a program widely used in Unix-based email systems.

The vulnerability was introduced in a June 2019 update, NSA said, and was remediated in the most recent version of the software.  The remote code execution allows an unauthenticated remote attacker to send “a specially crafted email to execute commands with root privileges allowing the attacker to install programs, modify data, and create new accounts,” NSA explained in an advisory.

An estimate from last October indicated that Exim was in use in almost 500,000 email servers worldwide, and was by far the most widely used software of its type.

Exim had been publicly urging users to update even before NSA revealed the exploitation of the flaw. NSA advised administrators to conduct checks for prior exploitation on their networks and look for unauthorized accounts or remote access authorizations.

Sandworm, an element of Russia's GRU, has been blamed for the devastating NotPetya cyberattack that crippled the systems of global shipping firm Maersk and cost global firms upward of $1 billion in mitigation and recovery costs. Sandworm has also been linked to efforts to compromise the mobile operating system Android and attempts to target the U.S. electrical grid.

The group was also called out in a Feb. 20 statement by the Department of State for a cyberattack that disrupted government websites and broadcast television in the Republic of Georgia.

"This action contradicts Russia's attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries," Secretary of State Mike Pompeo said at the time.

This article was first posted on FCW, a sibling site to GCN.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected