Hackers are targeting millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions, threat actors leverage the CVE-2019-10149 flaw.

Millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions are under attack, threat actors are exploiting the CVE-2019-10149 flaw to take over them.

A critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

The CVE-2019-10149 issue resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February. Unfortunately, a large number of operating systems are still affected by the vulnerability.

Querying Shodan for vulnerable versions of Exim it is possible to find 3,655,524 installs most of them in the United States (1,984,5538).

Searching for patched Exim installs running the 4.92 release we can find 1,795,332 systems.

“CVE-2019-10149, which was first discovered on June 5, is now being used as the vulnerability for a widespread campaign to attack exim servers and propagate across the Internet.” reads a blog post published by Cybereason..

“We are aware of an initial wave of attacks as described by Freddie Leeman on June 9, 2019. The first hacker group began pushing exploits from a C2 server located on the clear web. A second round of attacks by a different attacker are being analyzed by the Nocturnus team.”

Attackers are scanning the internet for vulnerable mail servers then when they will be compromised the initially deployed script will download a second script designed to check if OpenSSH is installed on the compromised machine.

In case OpenSSH is not present, it will install it and start it to gain root logins via SSH using a private/public RSA key for authentication.

Also, look for this string in your firewall/access logs: "an7kmd2wp4xo7hpr" – this is the TOR hidden service that this campaign is running from. It will be followed by all of those tor2web "router" hostnames. — Amit Serper (@0xAmit) June 13, 2019

4/4 That means that if your server was exploited, the attackers have root access to your server via private/public key authentication. I'll start working on a blog post about this in the @cybereason nocturnus blog. Watch my twitter account for details. pic.twitter.com/TvSDVvRn4v — Amit Serper (@0xAmit) June 13, 2019

Experts also observed another campaign carried out by a second group of attackers that is also targeting Exim servers.

The second stream of attacks was spotted by Freddie Leeman on June 9, in this wave of attacks attackers were delivering the script used to exploit vulnerable Exim servers from 173[.]212[.]214[.]137/s.

I've detected multiple variants and they are changing the scripts too. The latest versions are directly downloading the binary payload and running it, skipping the gathering of system data and posting it. Gonna decompile the payload later. — Freddie Leeman (@freddieleeman) June 10, 2019

“During the subsequent days, this group evolved its attacks, changing the type of malware and scripts it would download on infected hosts; a sign that they were still experimenting with their own attack chain and hadn’t settled on a particular exploit method and final goal.” reported ZDnet.

The attackers behind this second stream used multiple variants and continuously changed the scripts.

Pierluigi Paganini

( SecurityAffairs – Exim, hacking)

Share this...

Linkedin Reddit Pinterest

Share On