Exim servers, estimated to run nearly 57% of the internet's email servers, are now under a heavy barrage of attacks from hacker groups trying to exploit a recent security flaw in order to take over vulnerable servers, ZDNet has learned.

At least two hacker groups have been identified carrying out attacks, one operating from a public internet server, and one using a server located on the dark web.

Return of the WIZard - CVE-2019-10149

Both groups are using an exploit for CVE-2019-10149, a security flaw that was publicly disclosed on June 5.

The vulnerability, nicknamed "Return of the WIZard," allows remotely-located attackers to send malicious emails to vulnerable Exim servers and run malicious code under the Exim process' access level, which on most servers is root.

Because of the sheer number of Exim servers that are currently installed across the internet -- estimated at somewhere between 500,000 and 5.4 million -- exploitation attempts were very much anticipated.

First group and the first wave of attacks

According to self-described security enthusiast Freddie Leeman, the first wave of attacks started on June 9, when the first hacker group started blasting out exploits from a command-and-control server located on the clear web, at http://173[.]212.214.137/s.

During the subsequent days, this group evolved its attacks, changing the type of malware and scripts it would download on infected hosts; a sign that they were still experimenting with their own attack chain and hadn't settled on a particular exploit method and final goal.

But despite the group's unclear attack patterns, these attacks weren't duds, making at least some victims.

Fuck, my main box got owned by this. Good thing I have daily backups. — Neal Walfield (@nwalfield) June 11, 2019

Second group enters the fold

Parallel to this group, a second wave of attacks carried out by a second group was also seen get underway on June 10, Magni R. Sigurðsson, a security researcher at Cyren told ZDNet today in an email.

"The immediate objective of the current attack is to create a backdoor into the MTA servers by downloading a shell script that adds an SSH key to the root account," Sigurðsson told ZDNet.

According to the researcher, the attack's steps are as follows:

1) The attackers send an email, and in the SMTP dialog of that email, the RCPT_TO field gets an email address that contains a "localpart" crafted by the attackers to exploit the Exim vulnerability. Specifically, the attack uses a specially crafted Envelope-From (532.MailFrom) that looks like the below, it would download a Shell script and directly executes it.

Image: Cyren (provided)

2) The infected Exim server executes that localpart in their own user context, when they receive the email.

3) Since people are still running Exim as root, it will then download a shell script that will open SSH access to the MTA server via a public key to the root user.

"The script in itself is hosted in the Tor network, so attribution is almost impossible," Sigurðsson told ZDNet.

"They are targeting Red Hat Enterprise Linux (RHEL), Debian, openSUSE and Alpine Linux operating systems."

This second wave of attacks, more advanced than the first, were also spotted today by Cybereason Head of Security Research Amit Serper, confirming that the group had not only continued to operate but had also amplified its attacks enough to pop up on the honeypots of other security firms as well.

1/n IMPORTANT, THREAD: Someone is actively exploiting vulnerable exim servers. The attackers are using that exim vuln to gain permanent root access via ssh to those exploited servers by using a script that's uploaded to that server through that exploit. — Amit Serper (@0xAmit) June 13, 2019

In a blog post published after this article's publication, Serper also confirmed that this second campaign also featured code for a self-spreading worm component that propagated the Exim exploit to other servers, and that hackers also downloaded and installed a cryptocurrency miner on compromised servers.

For now, the only thing Exim server owners can do is to update to version 4.92 as soon as possible, and prevent any attacks from impacting their email servers.

Article updated at 7:30pm ET with link to Cybereason analysis.

Related malware and cybercrime coverage: