The US National Security Agency (NSA) has warned about a new wave of cyber attacks against email servers, conducted by a threat actor known as Sandworm Team.

In a security advisory published Thursday the agency said the Sandworm hackers have been exploiting a vulnerability (CVE-2019-10149) in Exim mail transfer agent (MTA) software since at least August 2019.

Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well. The vulnerability in question, which is also known as “The Return of the WIZard” flaw, was found in the Exim mail server versions 4.87 to 4.91 (included). The flaw stems from the fact that the application fails to properly handle the recipient addresses due to the code in deliver_message() which allows an attacker to execute arbitrary commands.

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute commands with root privileges and to install software, modify data, and create new accounts by sending specially crafted email. The flaw was fixed in Exim version 4.92 (released on February 10, 2019).

“When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing. When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain,” according to the NSA’s advisory.

This shell script would:

• Add privileged users

• Disable network security settings

• Update SSH configurations to enable additional remote access

• Execute an additional script to enable follow-on exploitation

The NSA is urging system administrators to update Exim by installing version 4.93 or newer to mitigate the above mentioned flaw and other vulnerabilities.

“Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used,” the agency added.