Read on Twitter
Russian hackers (BlackEnergy Group/Olympic Destroyer) have started exploiting CVE-2019-10149 (RCE with root privs on Exim mail server) since at least August 2019 - less than a month since the bug was published https://www.bleepingcomputer.com/news/security/nsa-russian-govt-hackers-exploiting-critical-exim-flaw-since-2019/">https://www.bleepingcomputer.com/news/secu...
The attackers exploited the flaw by sending an email with Exploiting the flaw is possible by sending an email email with a command added to the "MAIL FROM:" field 
https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇" title="Down pointing backhand index" aria-label="Emoji: Down pointing backhand index">
" title="The attackers exploited the flaw by sending an email with Exploiting the flaw is possible by sending an email email with a command added to the "MAIL FROM:" field https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇" title="Down pointing backhand index" aria-label="Emoji: Down pointing backhand index">" class="img-responsive" style="max-width:100%;"/>
The script used gives the attackers complete access to compromised servers and MySQL databases
Two of the commands, base64-encoded, check running processes for Little Snitch firewall for macOS. Commands are dropped if LS is found
Two of the commands, base64-encoded, check running processes for Little Snitch firewall for macOS. Commands are dropped if LS is found
more tweet-size details in this thread here: https://twitter.com/BleepinComputer/status/1266024197542862849">https://twitter.com/BleepinCo...
