"NSA Warns About Sandworm APT Exploiting Exim Flaw"

The NSA has warned in a security advisory published on Thursday that the Russian APT group Sandworm has been exploiting a critical Exim flaw (CVE-2019-10149) to compromise mail servers since August 2019.  When this flaw is successfully exploited, threat actors can execute code of their choosing.  When Sandworm exploited the flaw, the victim's machine subsequently downloads and executes a shell script from a Sandworm-controlled domain.  The script then attempts to add privileged users, update SSH configuration to enable additional remote access, disable network security settings, and execute an additional script to enable follow-on exploitation.

Help Net Security reports: "NSA Warns About Sandworm APT Exploiting Exim Flaw"