3.5 Million Email Servers Under Worm Attack Via Vulnerable Versions of Exim.

Posts by: Carl Jack

icefog skull data

A Worm exploiting vulnerable versions of Exim mail transfer agent is gaining a permanent root access via SSH to the exploited machines according to researchers.

Daubed “The Return of the WIZard” or CVE-2019-10149  the malware makes it possible for hackers to remotely run random commands mainly as root on exposed servers.

It was first discovered On June 5th and it is now part of a widespread campaign. It is estimated that more than 3.68 million machines currently run vulnerable versions of Exim. The Exim versions that are most at risk are the 4.87 through to 4.91. It is estimated that about a third of those servers (around 1.8 million or so) that are using Exim have installed the new patch 4.92 release.

Exim mail servers are an open-source MTA’s (Mail Transfer Agents) So their function is to receive, route and deliver emails from local users and remote hosts. Exim is the default MTA on some Linux systems. And the flaw allows remotely located attackers to send malicious emails and run malicious code under the Exim process’ access level.

It is thought that the first wave of attacks started on June 9th when the first hackers started blasting out exploits from a command-and-control server and over the subsequent days the attack has evolved and changed the type of malware it infects the hosts with. The object of the campaign is to create a backdoor into the MTA servers by downloaded a script that ads an SSH key to the root account.

Timeline of the attack’s steps:

First off, the scammers send an email and in the SMTP dialog the RCPT_TO field gets and email address that contains a “localpart” to exploit the vulnerable Exim.

Then the infected Exim server executes that localpart and its user receives the email and since people are still running Exim as root, it will then download a shell script that will open SSH access to the MTA server via a public key to the root user.
 

The most recent attack is supposed to be a lot more sophisticated and highly unwelcomed because it can sniff out other vulnerable servers and install a coin-miner and can even install several payloads in one hit. This allows hackers to compromise many servers in a short space of time as well as generate them a steady stream of cryptocurrency revenue claims some experts and researchers.

Right now, the only solutions seem to be to be to all Exim users to update their version to 4.92 which is the only version not vulnerable to these ongoing attacks.