Linux servers under worm attacks via latest Exim flaw

It didn’t take very long for Hackers to start exploiting this flaw, the recently revealed Exim vulnerability (CVE-2019-10149).

 

An initial wave of attacks on this vulnerability – which involved attackers pushing out exploits from a malicious command-and-control (C2) server – was first discovered June 9 by researcher Freddie Leeman.

“Just detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149),” he said in a tweet. “Tries to downloads a script located at http://173.212.214.137/s (careful). If you run Exim, make sure it’s up-to-date.”

Amit Serper, Cybereason’s head of security research, “The campaign uses a private authentication key that is installed on the target machine for root authentication,”.

“Once remote command execution is established, it deploys a port scanner to search for additional vulnerable servers to infect. It subsequently removes any existing coin miners on the target along with any defenses against coinminers before installing its own.”

They also install a portscanner that “looks for additional vulnerable servers on the Internet, connects to them, and infects them with the initial script.”

What should you do?

Despite the flaw having been patched in February and the security community urging admins to upgrade Exim to v4.92 or implement the patches provided for older (outdated) releases (from v4.87 to v4.91), there are still many vulnerable servers out there.

Cybereason’s latest Shodan search puts the number at 3,68 million or so – servers that run an older Exim version and some of them may of the new servers have patches implemented. However if you were unaware of this flaw you are still vulnerable with these server and its time to put in the hours to patch them up. 

author avatar
Patrick Domingues

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.