SoylentNews is people
SoylentNews
from the post-fix-you-will-be-running-PostFix dept.
A flaw in versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) on Linux systems is being actively exploited in the wild. Exim version 4.92 is not vulnerable.
Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet's email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.
The vulnerability being exploited is an input validation failure on the recipient address on an incoming message.
An initial attack was detected by researcher Freddie Leeman on June 9th.
The more recent and sophisticated campaign first installs an RSA private authentication key on the vulnerable SSH server for root authentication. Once remote command-execution is established, the attacker then deploys a port scanner, to sniff out other vulnerable servers and installs a coin-miner.
In addition, the campaign appears to be "highly pervasive" with extra measures – such as installing several payloads at different stages including the port scanner and coin-miner – for persistence on the infected system.
It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm," researchers said. "They used hidden services on the TOR network to host their payloads and created deceiving windows ivulnerable exim serverscon files [which is actually a password protected zip archive containing the coin miner executable] in an attempt to throw off researchers and even system administrators who are looking at their logs."
The attack is still being researched and users of vulnerable versions of Exim are being urged to patch their systems.
Related
400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks
(Score: 2, Informative) by RandomFactor on Saturday June 15 2019, @01:51PM (1 child)
nice catch [soylentnews.org]
Search fail looking for previous coverage.
I would go with 'Update' in this case as the previous article was around the initial report of the vulnerability existing, this one is reporting on an active worm now circulating.
The bright side is the worm is apparently not currently attempting to destroy data, just hide and burn CPU cycles for profit.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Saturday June 15 2019, @04:11PM
The downside is that its taken them so long to notice the active exploit...I'd noticed weird goings on appearing in the exim main log (as opposed to the usual stuff in the error log) last month and hacked together some crude code to block the persistent miscreants at the firewall...I 'd have modified the Exim code directly to do the same but, well, you know......