Mail servers running vulnerable Exim mail transfer agent (MTA) versions are currently under siege with hackers trying to exploit the CVE-2019-10149 (aka “Return of the WIZard”) vulnerability in effort to take over them.
The flaw in question resides in versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software and could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers. The issue is caused by the improper validation of recipient addresses, which could lead to remote code execution with root privileges on the mail server. The vulnerability was addressed by Exim’s team with the release of version 4.92 in February, but a large number of operating systems are still remain vulnerable to this issue.
According to the Shodan search results, 3,655,524 servers are running vulnerable Exim versions (most of them (1,984,5538) located in the United States). As for the patched Exim installs, 1,795,332 systems use the 4.92 release.
The first wave of attacks was initially spotted by the security researcher Freddie Leeman on June 9, 2019, with the hacker group dropping scripts used to exploit vulnerable Exim servers from 173[.]212[.]214[.]137/s. Leeman said that he “detected multiple variants and they are changing the scripts too. The latest versions are directly downloading the binary payload and running it, skipping the gathering of system data and posting it.”
On June 10 cybersecurity researchers detected another campaign more sophisticated than above mentioned attacks. According to Magni R. Sigurdsson, a security researcher at Cyren, the goal of this attack is to “create a backdoor into the MTA servers by downloading a shell script that adds an SSH key to the root account.” The attacks are launched from the server in the Tor network, which makes it significantly harder to pinpoint the operators of the campaign.
The second round of attacks was also detected by the Cybereason’s researchers who said that this campaign utilizes a code for a self-spreading worm component that propagated the Exim exploit to other servers and that the attackers additionally downloaded and installed a cryptocurrency miner on hacked servers.
These kinds of attacks have big implications for organizations and Exim server owners are strongly recommended to patch their installations as soon as possible.