A flaw in versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) on Linux systems is being actively exploited in the wild. Exim version 4.92 is not vulnerable.
Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet's email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.
The vulnerability being exploited is an input validation failure on the recipient address on an incoming message.
An initial attack was detected by researcher Freddie Leeman on June 9th.
The more recent and sophisticated campaign first installs an RSA private authentication key on the vulnerable SSH server for root authentication. Once remote command-execution is established, the attacker then deploys a port scanner, to sniff out other vulnerable servers and installs a coin-miner.
In addition, the campaign appears to be "highly pervasive" with extra measures – such as installing several payloads at different stages including the port scanner and coin-miner – for persistence on the infected system.
It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm," researchers said. "They used hidden services on the TOR network to host their payloads and created deceiving windows ivulnerable exim serverscon files [which is actually a password protected zip archive containing the coin miner executable] in an attempt to throw off researchers and even system administrators who are looking at their logs."
The attack is still being researched and users of vulnerable versions of Exim are being urged to patch their systems.
Related
400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks
(Score: -1, Troll) by Anonymous Coward on Saturday June 15 2019, @09:39AM (1 child)
I'd like to believe you, but so many things you say aren't true. Perhaps you should've posted the link instead of the title. /s
(Score: -1, Flamebait) by realDonaldTrump on Saturday June 15 2019, @10:47AM
Crooked H, is that you calling me a Lier? If it's you, possibly you're EMAILS is fine. Because you used to have a Microsoft EMAILS "server." And I assume you stuck with Microsoft Cyber. Their customers are very loyal because their product is the best on the market. As everyone knows.
I'll tell you, Soylent News is known as the Home of Links to Nowhere. You try to Tweet a Link, you think it's O.K., sorry it's not. And even the Editors don't know how to make a Link. That's O.K. That's O.K. You don't have to believe me. And, you don't have to believe the story from Random Factor that says EXACTLY the same thing. Just keep doing what you're doing. Keep believeing what you believe. And if you're doing the Exim "server" you may start to see many dirty pictures, and all kinds of "funny" squiggles in your EMAILS. The very special writing of the Chinese, the Korean and even Russian Hackers. Enjoy!!!