Millions of Linux Servers Under Worm Attack Via Exim Flaw

Recent reports from security researchers across the globe have spotted, attackers exploiting a Linux Exim flaw to remote commands, to download crypto miners and to sniff out other vulnerable servers.

They have reported that around 3.5 million servers are at the risk from these attacks, which are using a worm able exploit to exploit a vulnerability in the Exim mail transport agent (MTA) to gain Remote Command-Execution over victim Linux systems.

This attack specifically focuses on vulnerability in Exim-based mail servers, which contribute almost 57% of the internet's email servers. Attackers are now using this fresh bug, discovered last week, to achieve control on victim systems to search the internet for other machines to spread this crypto miner infection.

Researchers with Cybereason added in their post on Thursday that "These kinds of attacks have big implications for organizations" and that "a recovery process from these attacks are costly and time-consuming".

Exim mail servers are FLOSS MTA's which essentially receive, route and deliver email messages from remote hosts and local users. And is installed in most Linux systems as a default MTA. This flaw arises from improper validation for recipient address in deliver_message() function in the server. This critical security vulnerability (CVE-2019-10149) with a score of 9.8 out of 10 on the CVSS v3 scale, was discovered on June 5th in Exim versions 4.87 to 4.91 while Exim 4.92 was not vulnerable.

Based on a recent security advisory "A patch exists already, is being tested, and backported to all versions we released since (and including) 4.87. The severity depends on your configurations. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better".

Researcher Freddie Leeman first discovered the initial wave of attack on this vulnerability that included attackers pushing exploits out from a malicious command-and-control (C2) servers.

“Just detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149),” he said in a tweet. “Tries to downloads a script located at http://173.212.214.137/s (careful). If you run Exim, make sure it’s up-to-date.”

This more sophisticated and recent campaign first installs an RSA private auth key on the vulnerable SSH servers for root authentications. Once RCE is established, they deploy a port scanner to sniff out for other vulnerable servers and to install a coin-miner. Moreover, this campaign appeared to be "highly pervasive" with extra measures to install several payloads at different stages, which included a port scanner and a coin-minor for maintaining persistence over infected systems.

"It has been made clear that the attackers have gone to huge lengths to try to hide the intentions of their newly-created worm" said, researchers. “They used hidden services on the TOR network to host their payloads and created deceiving windows icon files [which is actually a password protected zip archive containing the coin miner executable] in an attempt to throw off researchers and even system administrators who are looking at their logs.”

Researchers added that, they were looking for further info about the attack, but besides that they urged users to patch every Exim installation in their companies and organizations to make sure that it is updated to most recent version.

“The prevalence of vulnerable Exim servers (3,683,029 across the globe according to Shodan) allows attackers to compromise many servers in a relatively short period of time, as well as generate a nice stream of cryptocurrency revenue,” said the researchers.