14 June 2019

Hackers actively exploit a recently patched vulnerability in Exim email server software

Hackers actively exploit a recently patched vulnerability in Exim email server software

Mail servers running vulnerable Exim mail transfer agent (MTA) versions are currently under siege with hackers trying to exploit the CVE-2019-10149 (aka “Return of the WIZard”) vulnerability in effort to take over them.

The flaw in question resides in versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software and could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers. The issue is caused by the improper validation of recipient addresses, which could lead to remote code execution with root privileges on the mail server. The vulnerability was addressed by Exim’s team with the release of version 4.92 in February, but a large number of operating systems are still remain vulnerable to this issue.

According to the Shodan search results, 3,655,524 servers are running vulnerable Exim versions (most of them (1,984,5538) located in the United States). As for the patched Exim installs, 1,795,332 systems use the 4.92 release.

The first wave of attacks was initially spotted by the security researcher Freddie Leeman on June 9, 2019, with the hacker group dropping scripts used to exploit vulnerable Exim servers from 173[.]212[.]214[.]137/s. Leeman said that he “detected multiple variants and they are changing the scripts too. The latest versions are directly downloading the binary payload and running it, skipping the gathering of system data and posting it.”

On June 10 cybersecurity researchers detected another campaign more sophisticated than above mentioned attacks. According to Magni R. Sigurdsson, a security researcher at Cyren, the goal of this attack is to “create a backdoor into the MTA servers by downloading a shell script that adds an SSH key to the root account.” The attacks are launched from the server in the Tor network, which makes it significantly harder to pinpoint the operators of the campaign.

The second round of attacks was also detected by the Cybereason’s researchers who said that this campaign utilizes a code for a self-spreading worm component that propagated the Exim exploit to other servers and that the attackers additionally downloaded and installed a cryptocurrency miner on hacked servers.

These kinds of attacks have big implications for organizations and Exim server owners are strongly recommended to patch their installations as soon as possible.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019