SoylentNews

RandomFactor [soylentnews.org] writes:

A flaw in versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) on Linux systems is being actively exploited in the wild. [threatpost.com] Exim version 4.92 is not vulnerable.

Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet’s email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.

The vulnerability being exploited [nist.gov] is an input validation failure on the recipient address on an incoming message.

An initial attack was detected [twitter.com] by researcher Freddie Leeman on June 9th.

The more recent and sophisticated campaign first installs an RSA private authentication key on the vulnerable SSH server for root authentication. Once remote command-execution is established, the attacker then deploys a port scanner, to sniff out other vulnerable servers and installs a coin-miner.

In addition, the campaign appears to be “highly pervasive” with extra measures – such as installing several payloads at different stages including the port scanner and coin-miner – for persistence on the infected system.

It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm,” researchers said. “They used hidden services on the TOR network to host their payloads and created deceiving windows ivulnerable exim serverscon files [which is actually a password protected zip archive containing the coin miner executable] in an attempt to throw off researchers and even system administrators who are looking at their logs.”

The attack is still being researched and users of vulnerable versions of Exim are being urged to patch their systems.

Related
400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks [soylentnews.org]

Original Submission