It didn’t take long for attackers to start exploiting the recently revealed Exim vulnerability (CVE-2019-10149).
One security enthusiast detected exploitation attempts five days ago:
Just detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149). Tries to downloads a script located at http://22.214.171.124/s (careful). If you run Exim, make sure it’s up-to-date. @qualys pic.twitter.com/s7veGBcKWO
— Freddie Leeman (@freddieleeman) June 9, 2019
Amit Serper, Cybereason’s head of security research, warned on Thursday about attackers exploiting the flaw to gain permanent root access via SSH to target Linux servers.
“The campaign uses a private authentication key that is installed on the target machine for root authentication,” he noted.
“Once remote command execution is established, it deploys a port scanner to search for additional vulnerable servers to infect. It subsequently removes any existing coin miners on the target along with any defenses against coinminers before installing its own.”
They also install a portscanner that “looks for additional vulnerable servers on the Internet, connects to them, and infects them with the initial script.”
What to do?
Despite the flaw having been patched in February and the security community urging admins to upgrade Exim to v4.92 or implement the patches provided for older (outdated) releases (from v4.87 to v4.91), there are still many vulnerable servers out there.
Cybereason’s latest Shodan search puts the number at 3,68 million or so – though this is just the servers that run an older Exim version and some of them may have patches implemented. Nevertheless, there are definitely too many.
If you’re servers are still vulnerable, get patching!
Cybereason has also provided some indicators of compromise that you can use to check whether you’ve been hit and have promised more information as soon as they dig it up. (Keep in mind, though, that these IoCs are just for this specific campaign and your servers might have been targeted by other attackers.)
>> Source Link