Researchers have spotted a major new cyber-attack campaign targeting millions of Linux email servers around the world with a cryptomining malware payload.
Exim accounts for over half (57%) of the globe’s internet email servers. Over 3.5 million are at risk from a vulnerability discovered last week, CVE-2019-10149, according to security vendor Cybereason.
There appears to be two waves of attack: the first involved attackers initially pushing out exploits from a command and control (C2) server on the clear web. However, the second seems to be more sophisticated.
“This is a highly pervasive campaign that installs cron jobs for persistence and downloads several payloads for different stages of the attack. In one of those stages, one of the payloads is a port scanner written in python. It looks for additional vulnerable servers on the internet, connects to them, and infects them with the initial script,” wrote Cybereason.
“In the attack, the attackers add an RSA authentication key to the SSH server which allows them to connect to the server as root and own it completely.”
Researchers are still working to assess the breadth of the campaign, but with worm-like capabilities in play, system administrators are urged to patch their Exim servers now, as well as find and remove any cron jobs.
“It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm. They used hidden services on the TOR network to host their payloads and created deceiving windows icon files in an attempt to throw off researchers and even system administrators who are looking at their logs,” concluded Cybereason.
“The prevalence of vulnerable Exim servers allows attackers to compromise many servers in a relatively short period of time, as well as generate a nice stream of cryptocurrency revenue.”