Unpatched EXIM Servers Affected by Linux Worm

It took only a small number of days for Linux worm to start exploiting the flaws in Exim email servers ever since the vulnerability in Exim mail transfer agent was made public. Researchers from Cybereason, entitled to discover this worm, reported that, Exim (E Mail service designed to route, receive and deliver email messages from local users and remote hosts) runs nearly 57 percent of Internet's email servers.

This vulnerability was identified in Exim version 4.87 and was later fixed in Exim 4.92 between the span of which around 3.5 million servers were put to risk, worldwide. This worm scans for servers running on vulnerable versions of Exams ( versions until 4.87) to infect, and once a machine is infected, the worms install a crypto-miner. This worm enables the attacker to execute RCE -Remote Code Execution on the vulnerable servers, until unless the worm is removed from the server.

JR Aquino, Manager of Azure Incident Response at MSRC -Microsoft Security Response Center, reported that “As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected version of Exim,”

They also suggested, Linux VM's running Exim to be created directly through the Azure portal as Azure "has controls in place" to restrict and confine how servers should send outbound emails to limit spreading of this worm, while the individual machines would remain infected with crypto-miner and worm. The attacker will still be able to run remote commands to take over the virtual machine and crypto-miner will continue to consume the infected machine's resource and slow down its performance significantly.

Aquino added that it’s the responsibility of Azure customers to update their virtual machine's operating systems.

Azure customers who were running virtual machines with EXIM 4.92 were out of risk, while the others with machines running old versions of Exim should update. Azure customers should utilize NSGs (Network Security Groups)- protocols set up to allow or deny network traffic to Azure VN resources- to filter and block unusual traffic to their servers. However, in cases the groups contained the attacker's IP addresses too, then that machine will still be able to connect to the server to execute remote commands.

Since it is too costly and time consuming to trace and remove this worm on infected Azure systems, the only way is to wipe and rebuild it from scratch.