Linux Servers Vulnerable Due to Exim Flaw
A widespread campaign is exploiting a vulnerability in the Exim mail transport agent, or MTA to get remote command-execution on victims’ Linux systems. According to researcher, there are currently more than 3.5 million servers are at risk from the attacks, which are using a wormable exploit. Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet’s email servers. hackers are exploiting the flaw to take control of the systems, search the internet for other systems to infect, and to start a cryptominer infection. Exim mail servers are open-source MTAs, which receive, route and deliver email messages from local users and remote hosts. Exim is the default MTA included on some Linux systems.
The flaw is due to improper validation of recipient address in the deliver_message() function in the server. The vulnerability, CVE-2019-10149, was discovered on June 5 in Exim versions 4.87 to 4.91. Exim version 4.92 is not vulnerable. A patch exists already, is being tested, and backported to all versions released since, and including 4.87. The severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better.
An initial wave of attacks, which involved hackers pushing out exploits from a malicious command-and-control ( C2 ) server, was first discovered June 9 by researcher Freddie Leeman. Leeman tweeted that he Just detected the first attempts to exploit recent #exim remote command execution ( RCE ) security flaw (CVE-2019-10149). According to Leeman, it tries to downloads a script located at #http://173.212.214.137/s#. More recently, researchers with Cybereason tracked a second wave of attacks which they believe are launched by a different hacker.
The more recent and sophisticated campaign first installs an RSA private authentication key on the vulnerable SSH server for root authentication. Once remote command-execution is established, the hacker deploys a port scanner to sniff out other vulnerable servers and installs a coin-miner. In addition, the attack appears to be highly pervasive with extra measures such as installing several payloads at different stages including the port scanner and coin-miner. It is believed to be used for persistence on the infected system.
It is clear that the hackers went to great lengths to try to hide the intentions of their worm. They used hidden services on the TOR network to host their payloads and created deceiving windows icon files which is actually a password protected zip archive containing the coin miner executable in an attempt to throw off researchers and even system administrators who are looking at their logs.
Researchers said that they are still looking for further information about the attack, but in the meantime urged users to patch every Exim installation in their organization and make sure that it is updated to the most recent version, Exim version 4.92.