Email bug could have dire consequences for federal networks

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Cybersecurity watchers around the world are concerned with something called CVE-2019-10149. It’s a flaw in certain email transfer servers. It sounds arcane but it’s emanating from Russia and can wreak havoc on federal systems. And on those running for office. The co-founder and CEO of Area 1 Security Oren Falkowitz joined Federal Drive with Tom Temin for more on this bug and what to do about it. 

Interview transcript:

Tom Temin: Mr. Falkowitz. Good to have you on.

Oren Falkowitz: Yeah, thanks for having me.

Tom Temin: Tell us about this bug. It actually dates back quite a while, more than a year. And there is a patch for it. But not everyone has put in the patch. Tell us more about this bug.

Oren Falkowitz: Yeah, there’s a vulnerability in the Exim software that was discovered some years ago, and that’s been mitigated by the newer versions. But just last Friday, the National Security Agency issued advisories saying that they’ve observed the same cyber actors from the Russian military who are involved in election hacking here in the United States taking advantage of this. So it was critical for folks to take it incredibly seriously. And at Area One Security we’ve done research and discovered that there are upwards of 60 candidates running for Congress and Governor and in the United States Senate, as well as local municipalities and the State Department who continue to run the servers. And you know, it’s common for software to have vulnerabilities, but particularly for folks who are running for federal office, it’s important that they not use their own email servers and move to professionally managed servers.

Tom Temin: Yes. You mentioned something called Exim, that this bug is in that’s coming from Russia. What is Exim exactly?

Oren Falkowitz: Well, Exim is software for mail transfer. The bugs not coming from Russia. It’s just a vulnerability in the software itself. And that’s common, great software is developed by humans and it’s imperfect. And that’s why we have patches you know, all the time in various forms of software. What the vulnerability allows is for someone to remotely or externally to gain access to the email server and to get administrator privileges to launch new phishing attacks to move further into networks, if they’re able to be successful.

Tom Temin: And who publishes Exim, is that something in the public domain? Or where do you get the patch from to secure it all up again?

Oren Falkowitz: Exim started as a university project. It’s quite popular. There are millions of Exim servers. It’s good software used by lots of folks who have wanted to have their own email servers primarily before they were professionally managed email systems like Microsoft Office 365 and Google email platforms. And it’s readily available across the internet.

Tom Temin: Got it. Your report says that Exim has been found running with the vulnerability in the State Department.

Oren Falkowitz: That’s correct.

Tom Temin: So why would something as large and as important as the State Department not be using professionally managed servers, or do they have professional people running Exim for them that have simply not done their job in terms of patching?

Oren Falkowitz: Well there’s two things that can sometimes go on. One, large organizations with professional IT staff sometimes want to run their own systems, for customization for special use cases. And that can make sense. And this is good software to do that. But it does mean that if you’re an administrator, that you have to be perfect every single day making sure you’re staying up with the latest patches, configurations, management and advances that are happening all across the broader cybersecurity and software ecosystem. The second is that sometimes individuals for cost reasons or for legacy reasons will have built these servers, and they’re just kind of lingering out there. What’s unclear to us is why candidates for federal office would want to have this because typically, they are outsourcing their IP to third parties and it creates a lot of vulnerability and risks to have your software outsource, but then also not using professionally managed software, especially around email.

Tom Temin: Is Exim what was used by the Democratic National Committee during the last presidential campaign that was exploited?

Oren Falkowitz: No, I don’t believe so. I’m not aware of that. I’m not I don’t believe that they use Exim or that was what was taken advantage of.

Tom Temin: But people using Exim in this context could be subject to the same problems that affected that group back in 2016.

Oren Falkowitz: Yeah, I mean, absolutely similar types of challenges. The vulnerability allows for someone externally to take over this critical email infrastructure to read the messages to create administrative users to go further into your network to send additional phishing attacks. It’s quite a serious vulnerability and it’s been identified as such for some time now. You know, we’re only 150 days give or take from the next election and to see candidates still using custom software like this is quite troubling given all we know about the sensitivity to email infrastructure in elections.

Tom Temin: Alright, so if I have an organization, a campaign or a small agency, whatever it might be at the maybe the state or municipal level, and I’m running Exim, what do I need to do right now?

Oren Falkowitz: Well, there’s a couple things we recommend. The first is, if possible, it’s preferable to move to a professionally managed service such as Microsoft Office 365, and Google’s email products plus some additional cloud email security solutions that fight events phishing and advanced attacks that go beyond what the mail component provide as a base level. If you’re unable to do that, you know, make sure that you’re running the latest versions of Exim which are readily downloadable and available, upgrading to the latest version. What it allows for is for users to mitigate the vulnerability, meaning that they’re no longer able to be exploited from it, it doesn’t mean that it solves the problem had they been exploited prior.

Tom Temin: Because you could still have those authorized users out there, and they’ve got credentials on your system.

Oren Falkowitz: Exactly. You could still have people on the system and you wouldn’t necessarily know about it unless you’ve tightly managed it, which would be slightly unlikely if you’re still running the unpatched version. But it’s critical to go and get the latest version at a minimum. And then we recommend folks particularly where they don’t have large professionally managed teams, to just switch to the solutions that have been a relatively cost effective, such as office 365 and Google’s G Suite.

Tom Temin: Yeah, I mean, office is only 99 bucks a year for six users. And if you’re a campaign, that’s probably all you need.

Oren Falkowitz: For a campaign, it’s more than appropriate. It’s important though, that in addition, the cloud inboxes, right, the Microsofts and the Googles, they’re not sufficient for cybersecurity. They’re good stuff. for managing and processing email and for doing anti spam. Campaigns, in particular need to add cloud email security solutions that focus on phishing attacks, like the types of attacks we’ve seen in the 2016 and 2018 elections, type that plague corporations around the world. So you need to do both of those things to really be effective.

Tom Temin: Oren Falkowitz is co founder and CEO of Area One Security. Thanks so much for joining me.

Oren Falkowitz: You’re welcome. Thank you.

Read the report here.