Masu Binciken Tsaro na Cybereason masu gudanar da sabar saƙon wasiku game da gano wani babban hari mai sarrafa kansa wanda ke yin amfani (CVE-2019-10149) a cikin Exim, wanda aka gano a makon da ya gabata. A lokacin harin, maharan sun cimma nasarar aiwatar da lambar su a matsayin tushen kuma suna shigar da malware akan uwar garken don hakar cryptocurrencies.
Yuni rabon Exim shine 57.05% (shekara daya da ta gabata 56.56%), ana amfani da Postfix akan 34.52% (33.79%) na sabar saƙo, Sendmail - 4.05% (4.59%), Microsoft Exchange - 0.57% (0.85%). By na sabis ɗin Shodan, sama da sabar saƙon wasiƙa miliyan 3.6 a cikin hanyar sadarwa ta duniya sun kasance masu yuwuwar rauni, waɗanda ba a sabunta su zuwa sabon sakin na yanzu na Exim 4.92. Kimanin sabar sabar miliyan 2 masu yuwuwa suna cikin Amurka, dubu 192 a Rasha. By RiskIQ ya riga ya haɓaka kashi 4.92% na sabobin Exim zuwa sigar 70.
An shawarci masu gudanarwa da su shigar da sabuntawa cikin gaggawa waɗanda aka shirya ta hanyar rabawa a makon da ya gabata (, , , , , ). Idan tsarin yana da sigar Exim mai rauni (daga 4.87 zuwa 4.91), kuna buƙatar tabbatar da cewa tsarin bai riga ya daidaita ba ta hanyar duba crontab don kiran da ake tuhuma kuma tabbatar da cewa babu ƙarin maɓalli a cikin /tushen/. ssh directory. Hakanan ana iya nuna harin ta kasancewar a cikin log ɗin ayyukan tacewar zaɓi daga runduna an7kmd2wp4xo7hpr.tor2web.su, an7kmd2wp4xo7hpr.tor2web.io da an7kmd2wp4xo7hpr.onion.sh, waɗanda ake amfani da su yayin aiwatar da zazzage malware.
Harin farko akan sabar Exim ranar 9 ga watan Yuni. Zuwa harin 13 ga watan Yuni hali. Bayan amfani da raunin ta hanyar ƙofofin tor2web, ana loda rubutun daga sabis ɗin ɓoye na Tor (an7kmd2wp4xo7hpr) wanda ke bincika kasancewar OpenSSH (idan ba haka ba). ), canza saitunan sa ( tushen login da tantance maɓalli) da saita tushen mai amfani zuwa A wanda ke ba da dama ga tsarin ta hanyar SSH.
Bayan kafa ƙofar baya, ana shigar da na'urar daukar hoto ta tashar jiragen ruwa a cikin tsarin don gano wasu sabar masu rauni. Har ila yau, yana bincika tsarin don tsarin ma'adinai na yanzu, wanda aka goge idan an gano. A mataki na ƙarshe, an ɗora wa mai hakar ma'adinan ku kuma an yi rajista a crontab. Ana zazzage mai hakar ma'adinan a ƙarƙashin sunan fayil ɗin ico (a zahiri, rumbun ajiyar zip ne tare da kalmar wucewa ta "babu kalmar sirri), wanda ke tattara fayil ɗin aiwatarwa a cikin tsarin ELF don Linux tare da Glibc 2.7+.
source: budenet.ru