It didn’t take long for attackers to start exploiting the recently revealed Exim vulnerability (CVE-2019-10149).
One security enthusiast detected exploitation attempts five days ago:
Just detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149). Tries to downloads a script located at http://220.127.116.11/s (careful). If you run Exim, make sure it's up-to-date. @qualys pic.twitter.com/s7veGBcKWO
— Freddie Leeman (@freddieleeman) June 9, 2019
Amit Serper, Cybereason’s head of security research, warned on Thursday about attackers exploiting the flaw to gain permanent root access via SSH to target Linux servers.
“The campaign uses a private authentication key that is installed on the target machine for root authentication,” he noted.
“Once remote command execution is established, it deploys a port scanner to search for additional vulnerable servers to infect. It subsequently removes any existing coin miners on the target along with any defenses against coinminers before installing its own.”
They also install a portscanner that “looks for additional vulnerable servers on the Internet, connects to them, and infects them with the initial script.”
What to do?
Despite the flaw having been patched in February and the security community urging admins to upgrade Exim to v4.92 or implement the patches provided for older (outdated) releases (from v4.87 to v4.91), there are still many vulnerable servers out there.
Cybereason’s latest Shodan search puts the number at 3,68 million or so – though this is just the servers that run an older Exim version and some of them may have patches implemented. Nevertheless, there are definitely too many.
If you’re servers are still vulnerable, get patching!
Cybereason has also provided some indicators of compromise that you can use to check whether you’ve been hit and have promised more information as soon as they dig it up. (Keep in mind, though, that these IoCs are just for this specific campaign and your servers might have been targeted by other attackers.)
UPDATE (June 16, 2019, 7:40 a.m. PT):
Microsoft has confirmed that an active Linux worm leveraging CVE-2019-10149 is operating in the wild and has urged customers using Azure virtual machines (VMs) to update the operating systems running on them.
“As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,” the company noted.