The Internet, including both the surface web and the Dark Web is currently being scanned by cybercriminals looking for vulnerable Exim servers, which currently has 57% market share of all existing email servers in the world. The Exim email server flaw documented under CVE-2019-10149 enables hackers to send malformed emails to a target Exim server and execute the malicious payload using a root-level Exim process. With an estimated 5.4 million active Exim servers, it is not a big challenge at all to find a vulnerable one. The massive campaign against Exim email servers was first detected just last June 9 and it continues to this day, the command and control server (126.96.36.199) has been identified since then by independent researchers, one of them is Freddie Leeman.
As hackers penetrate the vulnerable Exim server with root privileges, they are free to do whatever actions the shell can provide to a root user. During the observation performed by security researcher named Magni Sigurðsson of Cyren starting June 10, he identified that hackers were trying to download a custom shell script with the goal of inserting a new SSH key to the root account, enabling them to establish a persistent backdoor for the servers. Vulnerable Exim servers have a flaw where any code executed under its context are considered as “root” access (as set by its admins) by the host hardware, the normal behavior should be to warn system admins first before allowing execution of code as root.
“The immediate objective of the current attack is to create a backdoor into the MTA servers by downloading a shell script that adds an SSH key to the root account. They are targeting Red Hat Enterprise Linux (RHEL), Debian, openSUSE and Alpine Linux operating systems,” explained Magni Sigurðsson.
A separate team of researchers from Cybereason headed by Amit Serper, Chief of Security Research confirmed that a second wave of cyber attack against Exim servers are currently happening at the time of this writing. This new wave of attack was carefully devised by the hacker groups in order to determine if their “potential” victim is really the real deal or just honeypots that were setup by security researchers to document their campaign.
The Top 10 Countries with the most vulnerable public Exim servers are the following:
1. United States – 1,996,569 servers
2. Russia – 192,737 servers
3. Canada – 142,967 servers
4. Netherlands – 137,064 servers
5. Germany – 129,821 servers
6. United Kingdom – 123,357 servers
7. France – 112,730 servers
8. Romania – 89,656 servers
9. Singapore – 61, 983 servers
10. Turkey – 56,714 servers
Aside from the mentioned activities, hackers are also installing a cryptocurrency mining malware to all Exim servers that they were able to get a hold of. All system admins maintaining an Exim server in their respective organizations are recommended to check their /root/.ssh and inside all .ssh folder and check for the following exact entry:
“ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Sdr0tIIL8yPhKTLzVMnRKj1zzGqtR4tKpM2bfBEx+AHyvBL8jDZDJ6fuVwEB+aZ8bl/pA5qhFWRRWhONLnLN9RWFx/880msXITwOXjCT3Qa6VpAFPPMazJpbppIg+LTkbOEjdDHvdZ8RhEt7tTXc2DoTDcs73EeepZbJmDFP8TCY7hwgLi0XcG8YHkDFoKFUhvSHPkzAsQd9hyOWaI1taLX2VZHAk8rOaYqaRG3URWH3hZvk8Hcgggm2q/IQQa9VLlX4cSM4SifM/ZNbLYAJhH1x3ZgscliZVmjB55wZWRL5oOZztOKJT2oczUuhDHM1qoUJjnxopqtZ5DrA76WH user@localhost”
Existence of the above entry means someone from the hacker group was able to connect to the Exim server. It is highly recommended that the Exim servers be updated at the soonest possible time in order to plug the vulnerability.