Exim mail servers are not fast enough, and members of the Russian hacker Sandworm group are actively exploiting three critical vulnerabilities that allow remote execution of commands or code remotely.
Nearly one million Exim servers are exposed and vulnerable, although the number is gradually declining daily. Exim 4.93 is currently considered a secure version.
Wider attack campaign
The US National Security Agency (NSA) warned on Thursday that since August last year, hackers have used CVE-2019-10149 ("The Return of the WIZard").
The defect allows remote commands to be executed on servers with Exim 4.87 to 4.91 installed. It was fixed in June 2019. The hackers took advantage of this by sending a processed email to the target with a command added to the "MAIL FROM:" field.
Researchers at RiskIQ found that Sandworm's attacks used two more security flaws in unpatched Exim servers. Both are critical and can be used remotely without authentication to execute code or applications with root privileges:
- CVE-2019-15846 - affects all versions of Exim up to 4.92.1, reported in July 2019 and updated in early September 2019
- CVE-2019-16928 - affects all Exim servers 4,92 to 4,92,2, received a repair at the end of September 2019
As of May 1, RiskIQ researchers noticed in the company's online database that there were more than 900.000 vulnerable servers.
According to their data, the organizations started updating the Exim mail servers and less vulnerable versions were recorded in the last month. However, the transition to an updated version it's late.
The NSA provides two IP addresses and a domain name associated with Sandworm's activity, to help organizations determine if they have been targeted by the threat factor.
Florian Roth, Nextron Systems CTO, has published a tool that can detect Sandworm activity using compliance rules and indicators (IOC) based on samples from the NSA report.
The agency says the intruders used CVE-2019-10149 to download and execute a script that allowed them to "add privileged users, disable network security settings, update SSH configurations to allow extra remote access, run an additional script to allow continuous operation. ”
Their script gave them full access to the breached servers and all the MySQL databases running on it.