A flaw in versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) on Linux systems is being actively exploited in the wild. Exim version 4.92 is not vulnerable.
Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet's email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.
The vulnerability being exploited is an input validation failure on the recipient address on an incoming message.
An initial attack was detected by researcher Freddie Leeman on June 9th.
The more recent and sophisticated campaign first installs an RSA private authentication key on the vulnerable SSH server for root authentication. Once remote command-execution is established, the attacker then deploys a port scanner, to sniff out other vulnerable servers and installs a coin-miner.
In addition, the campaign appears to be "highly pervasive" with extra measures – such as installing several payloads at different stages including the port scanner and coin-miner – for persistence on the infected system.
It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm," researchers said. "They used hidden services on the TOR network to host their payloads and created deceiving windows ivulnerable exim serverscon files [which is actually a password protected zip archive containing the coin miner executable] in an attempt to throw off researchers and even system administrators who are looking at their logs."
The attack is still being researched and users of vulnerable versions of Exim are being urged to patch their systems.
Related
400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks
(Score: 0) by Anonymous Coward on Saturday June 15 2019, @12:13PM (3 children)
The 1st internet worm also used email and looked for other systems. It attacked sendmail
(Score: 1, Informative) by Anonymous Coward on Saturday June 15 2019, @02:40PM
The Morris Worm and Canter and Siegel. Didn't get the worm but got the Green Card spam. Now get off my LAN!
(Score: 0) by Anonymous Coward on Saturday June 15 2019, @04:04PM (1 child)
Morris got off lightly because his daddy was connected.
(Score: 0) by Anonymous Coward on Sunday June 16 2019, @09:01AM
You're just jealous because you don't know who yours is.