The russia-linked APT group have been running campaigns wherein the authors exploited a critical vulnerability (CVE-2019-10149), also called as "The Return of the WIZard" in the Exim mail transfer agent (MTA) software, according to the warnings of the U.S National Security Agency (NSA).
As per the findings of the NSA, the threat actors have been exploiting the vulnerability since an update was released in June 2019. The critical flaw that affects Exim mail transfer agent (MTA) software's version from 4.87 to 4.91 could be taken advantage of by dubious remote hackers to execute arbitrary commands – such as sending a command in the "MAIL FORM" field of a Simple Mail Transfer Protocol message on mail servers.
In the same campaign, the attackers from Unit 74455, the Russian GRU Main Center for Special Technologies (GTsST) had also exploited two other issues in Exim, first one is a remote code execution flaw (CVE-2019-15846) that was fixed in September 2019 and was found to be affecting version 4.92.1 and older. The second one was a DoS and code execution vulnerability (CVE-2019-16928), it affected versions from 4.92 to 4.92.2, according to the revelations made by RiskIQ.
In an advisory published by the NSA, the experts state, "Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August.”
"The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”
“Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used. Using a previous version of Exim leaves a system vulnerable to exploitation. System administrators should continually check software versions and update as new versions become available.” The advisory further reads.