Monthly Archives: May 2020


Russian Sandworm Exploiting Exim Mail Servers

It has been found by the NSA that the Russian Spy Group called BlackEnergy is actively exploiting Exim mail servers with Sandworm.

The Exim mail server flaw can be exploited using a email containing a modified “MAIL FROM” field in a Simple Mail Transfer Protocol (SMTP) message. The Russians have been exploiting unpatched Exim servers since at least August, according the NSA’s advisory.

Once Sandworm compromises a target Exim server, it subsequently downloads and executes a shell script from a Sandworm-controlled domain to establish a persistent backdoor that can be used for reconnaissance, spying on mail messages, lateral movement and additional malware implantation.

“This script would attempt to do the following on the victim machine: Add privileged users; disable network security settings; update SSH configurations to enable additional remote access; and execute an additional script to enable follow-on exploitation,” according to the NSA.

Exim admins should update their MTAs … Read the rest


Microsoft Patched 100 Vulnerabilities

Microsoft has pushed a hefty list of Patches on Tuesday to fix over 100 Vulnerabilities and 16 CVEs making the critical list.

This is actually the thrid mont that Microsoft has pushed over 100 vulnerabilities patches. May’s list does not contain any vulnerabilities currently being exploited in the wild, which is a good thing.

Make sure that you are always patching your systems.

Read the rest

Sophos XG Firewall Vulnerability

Hackers have been targeting Sophos XG Firewall due to the Zero-Day exploit that allows hackers to inject the Asnarok Malware.

Sophos said in their blog. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN, SPX Portal) to the WAN zone that shares the same port as the admin or User Portal were also affected.”

What was compromised?

It was found that the data impacted on the firewall was all local usernames and hashed passwords of any local user accounts. This would mean, local device admins, user portal accounts, and accounts used for remote access. However the passwords associated with external authentication like Active Directory (AD) or LDAP were not compromised.

Have I been compromised?

Well Sophos best practice is to make sure the firewall … Read the rest

Stay Informed

Receive instant notifications when new content is released.