Hacker Groups Pounce on Millions of Vulnerable Exim Servers

eximMultiple groups are launching attacks against exposed Exim mail servers, trying to exploit a vulnerability that could give them permanent root access. Exim servers reportedly run almost 57% of the internet’s email servers, and recent Shodan searches show millions of vulnerable machines still running.

The attackers are exploiting CVE-2019-10149, a vulnerability also called “Return of the WIZard.” It was published on June 5 by security firm Qualys as a Remote Command Execution vulnerability affecting Exim versions 4.87 to 4.91. The vulnerability makes it possible for attackers to remotely run arbitrary commands as root on successfully exploited Exim servers.

These attacks are ongoing, but not unexpected. There were already reports of the vulnerability last week; and the large number of Exim servers meant that cybercriminals had a substantial amount of targets. However, Exim users should note that a patch has been available since February. The developers addressed the security flaw with version 4.92.

Exim attackers

Two groups have been seen attacking Exim servers, both using the vulnerability named above. One of the attacks was discovered by Freddie Leeman, who posted his findings on Twitter.

From Leeman’s report, it seems the hackers dropped malicious script from a public server on the normal web. According to BleepingComputer, the dropped script will download another script, which then deploys multiple binary payload variants on the exploited hosts. Multiple versions of this exploit were developed in the days succeeding the discovery, which shows that the attackers were still fine-tuning their techniques.

Another team of attackers was seen by security researcher Magni Sigurðsson, who told ZDNet that the objective of this particular attack is to create a backdoor on the mail servers by downloading a shell script that adds a Secure Shell (SSH) key to the root account. These attackers hosted their script on the Tor network, making it harder to identify them.

Solutions and recommendations

Many Exim users have patched and updated their mail servers since the patch was released and news of the vulnerability has spread. Those who have not applied the patch should update to version 4.92.

Patching is still a problem for many enterprises, and this a known issue. Many cybercriminals actively abuse vulnerabilities for which patches have already been released. Some attackers exploit vulnerabilities that have been patched for almost a year, assuming that many users do not apply available updates quickly, or even at all.

Technologies like virtual patching and application control can help organizations avoid the burden of ad hoc patching. An audit tool can also help organizations include the important patches in a scheduled patch cycle to help ease the burden of planning and deployment.

The Trend Micro™ Deep Security™ solution provides virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications. Deep Security™ and Vulnerability Protection protect systems and users via the following Deep Packet Inspection (DPI) rule:

  • 1009797 - Exim 'deliver_message' Command Injection Vulnerability (CVE-2019-10149)

The Trend Micro™ TippingPoint® system provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via DigitalVaccine™ filters. Customers are protected from threats and attacks that may exploit this vulnerability via this MainlineDV filter:

  • 35520: SMTP: Exim Internet Mailer Command Injection Vulnerability

The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.