Sandworm affecting Exim

Sandworm affecting MTA

The US National Security Agency (NSA) has issued a cybersecurity advisory warning that the Russian military hacking group responsible for interfering in the 2016 presidential election has been exploiting a critical vulnerability in Exim since last August or earlier.

For those unfamiliar with Exim, the software is a mail transfer agent (MTA) that runs in the background of email servers. The software is currently the most popular MTA and a big reason for this is due to the fact that it is bundled with many popular Linux distros including Debian and Red Hat.

The timing of the NSA’s advisory is a bit strange though as the critical vulnerability in Exim was identified 11 months ago and a patch has already been released to fix the issue.

According to the president of Rendition Infosec and former US government hacker, Jake Williams who spoke with the Associated Press, Exim is so widely used that some companies and government agencies that run the software may have not yet patched the vulnerability. He believes that the NSA may have issued its new advisory to bring attention to the Russian military group known as Sandworm which has exploited the critical vulnerability in Exim in its attacks.


In its advisory, the NSA provided further details on the vulnerability in Exim that Sandworm is actively exploiting, saying:

“The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code of their choosing. The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”

While the NSA did not reveal who the Russian military hackers have targeted, in recent months senior US intelligence officials have warned that Kremlin agents are currently engaged in activities online that could threaten the integrity of the country’s 2020 presidential election.

Organizations and government agencies that use Exim should apply this patch immediately if they have not already done so to avoid falling victim to any potential attacks.

Octopus Scanner ! Active RAT

The malware, which GitHub’s security team has named Octopus Scanner, has been found in projects managed using the Apache NetBeans IDE (integrated development environment), a tool used to write and compile Java applications.

GitHub said it found 26 repositories uploaded on its site that contained the Octopus Scanner malware, following a tip it received from a security researcher on March 9.

GitHub says that when other users would download any of the 26 projects, the malware would behave like a self-spreading virus and infect their local computers.

It would scan the victim’s workstation for a local NetBeans IDE installation, and proceed to burrow into the developer’s other Java projects.

End goal: Install a remote access trojan (RAT)

The malware, which can run on Windows, macOS, and Linux, would then download a remote access trojan (RAT) as the final step of its infection, allowing the Octopus Scanner operator to rummage through an infected victim’s computer, looking for sensitive information.

GitHub says the Octopus Scanner campaign has been going on for years, with the oldest sample of the malware being uploaded on the VirusTotal web scanner in August 2018, time during which the malware operated unimpeded.

While GitHub says it found only 26 projects uploaded on its platform that contained traces of the Octopus Scanner malware, it believes that many more projects have been infected during the past two years.

However, the true purpose of the attack was to place a RAT on the machines of developers working on sensitive projects or inside major software companies, and not necessarily to poison open-source Java projects.

The RAT would have given the attacker(s) access to steal confidential information about upcoming tools, proprietary source code, or alter code to enable backdoors in enterprise or other closed-source software.

“If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed,” GitHub added.

“While infecting build processes is certainly not a new idea, seeing it actively deployed and used in the wild is certainly a disturbing trend.”

GitHub did not publish the name of the 26 poisoned projects, but has published details about Octopus Scanner’s infection process, so NetBeans users and Java developers can look for signs if their projects have been altered.

NWorm ! Trickbot Malware

The Trickbot banking trojan has evolved once again with a new malware spreading module that uses a stealth mode to quietly infect Windows domain controllers without being detected.

Started as a banking Trojan, the TrickBot malware has evolved with the constant addition of new modules that allows it to perform a variety of malicious behavior.

Some of this behavior includes spreading laterally through a network, stealing Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY Credentials, and more.

TrickBot also partners with ransomware operators, such as Ryuk, to gain access to a compromised network so they can deploy ransomware.

Meet Nworm: TrickBot malware’s stealthy propagation module

In a new report by Palo Alto Unit 42, researchers discovered that the TrickBot developers had released an updated network spreading module called ‘nworm’ that uses new techniques to evade detection as it infects Windows domain controllers.

When installed, TrickBot will assess the environment that it is running in and then download various modules to perform specific malicious activity on the infected computer and in the network.

If TrickBot detects that it is running in a Windows Active Directory (AD) environment, it has historically downloaded modules called ‘mworm’ and ‘mshare’ used to spread the TrickBot infection to a vulnerable domain controller.

The module does this by attempting to exploit SMB vulnerabilities in the domain controller.

As the malware executable would be unencrypted, security software installed on the DC could detect it and remove it right after being copied.

“In April 2020 while generating a TrickBot infection in a lab environment, TrickBot stopped using the mworm module. In its place, a new artifact named “nworm” appeared on an infected Windows 7 client,” the researchers explain in their report.

This new nworm module not only encrypts the TrickBot executable so it can’t be detected by security software, but also launches the infection on the domain controller in memory.

Using this method, TrickBot can be snuck into a domain controller and executed without being detected.

To further increase its stealthiness, when infecting a domain controller, the TrickBot malware will not remain persistent to start again if the computer is rebooted.

As domain controllers are rarely restarted, this should not pose a problem as the infection should stay running in memory for an extended period.

This is usually enough time for the threat actors to execute and complete their attack.

SHA-1 soon to be a history

The developers of two open source code libraries for Secure Shell, which is the protocol used by millions of computers to create encrypted connections, have decided to no longer support the Secure Hash Algorithm 1 (SHA-1) due to growing security concerns.

“It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the “ssh-rsa” public key signature algorithm by default in a near-future release. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.”

SHA-1 is a cryptographic hash function that was first developed in 1995. It is used for producing hash “digests” which are each 40 hexadecimal characters long and these digests are meant to be distinct for every message, file and function that uses them.

Hash collisions

A collision is a cryptographic term used to describe when two or more inputs generate the same outputted digest and researchers began warning that SHA-1 was becoming increasingly vulnerable to collisions almost a decade ago.

In 2017, SHA-1 fell victim to a collision attack that cost $110,000 to produce which lead to a number of browsers, browser-trusted certificate authorities and software update systems to abandon the algorithm though some services and software continued using it despite the risk.

While OpenSSH and Libssh will no longer support SHA-1, the encryption algorithm is still supported in recent versions of OpenSSL.