14 June 2019

Hackers actively exploit a recently patched vulnerability in Exim email server software

Hackers actively exploit a recently patched vulnerability in Exim email server software

Mail servers running vulnerable Exim mail transfer agent (MTA) versions are currently under siege with hackers trying to exploit the CVE-2019-10149 (aka “Return of the WIZard”) vulnerability in effort to take over them.

The flaw in question resides in versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software and could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers. The issue is caused by the improper validation of recipient addresses, which could lead to remote code execution with root privileges on the mail server. The vulnerability was addressed by Exim’s team with the release of version 4.92 in February, but a large number of operating systems are still remain vulnerable to this issue.

According to the Shodan search results, 3,655,524 servers are running vulnerable Exim versions (most of them (1,984,5538) located in the United States). As for the patched Exim installs, 1,795,332 systems use the 4.92 release.

The first wave of attacks was initially spotted by the security researcher Freddie Leeman on June 9, 2019, with the hacker group dropping scripts used to exploit vulnerable Exim servers from 173[.]212[.]214[.]137/s. Leeman said that he “detected multiple variants and they are changing the scripts too. The latest versions are directly downloading the binary payload and running it, skipping the gathering of system data and posting it.”

On June 10 cybersecurity researchers detected another campaign more sophisticated than above mentioned attacks. According to Magni R. Sigurdsson, a security researcher at Cyren, the goal of this attack is to “create a backdoor into the MTA servers by downloading a shell script that adds an SSH key to the root account.” The attacks are launched from the server in the Tor network, which makes it significantly harder to pinpoint the operators of the campaign.

The second round of attacks was also detected by the Cybereason’s researchers who said that this campaign utilizes a code for a self-spreading worm component that propagated the Exim exploit to other servers and that the attackers additionally downloaded and installed a cryptocurrency miner on hacked servers.

These kinds of attacks have big implications for organizations and Exim server owners are strongly recommended to patch their installations as soon as possible.

Back to the list

Latest Posts

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

The Iranian state-sponsored hackers Charming Kitten employed new spear-phishing methods in a campaign observed in August and September.
10 October 2019
Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

It is estimated that more than 6,500 sites are affected, that number could be even higher.
10 October 2019
Featured vulnerabilities
Remote code execution in Bento4 media player
High Not Patched | 13 Oct, 2019
Use-after-free in libvips library
Medium Patched | 13 Oct, 2019
Denial of service in MATIO
Low Not Patched | 13 Oct, 2019
Cross-site scripting in Openfire
Low Patched | 12 Oct, 2019