Friday, July 3, 02:55
Home security Critical Exim errors have been fixed, but many servers are still at risk

Critical Exim errors have been fixed, but many servers are still at risk

Exim mail servers are not fast enough, and members of the Russian hacker Sandworm group are actively exploiting three critical vulnerabilities that allow remote execution of commands or code remotely.

Nearly one million Exim servers are exposed and vulnerable, although the number is gradually declining daily. Exim 4.93 is currently considered a secure version.

Wider attack campaign

The US National Security Agency (NSA) warned on Thursday that since August last year, hackers have used CVE-2019-10149 ("The Return of the WIZard").

The defect allows remote commands to be executed on servers with Exim 4.87 to 4.91 installed. It was fixed in June 2019. The hackers took advantage of this by sending a processed email to the target with a command added to the "MAIL FROM:" field.

Researchers at RiskIQ found that Sandworm's attacks used two more security flaws in unpatched Exim servers. Both are critical and can be used remotely without authentication to execute code or applications with root privileges:

  • CVE-2019-15846 - affects all versions of Exim up to 4.92.1, reported in July 2019 and updated in early September 2019
  • CVE-2019-16928 - affects all Exim servers 4,92 to 4,92,2, received a repair at the end of September 2019

As of May 1, RiskIQ researchers noticed in the company's online database that there were more than 900.000 vulnerable servers.

According to their data, the organizations started updating the Exim mail servers and less vulnerable versions were recorded in the last month. However, the transition to an updated version it's late.

A brief look at Shodan shows just over a million Exim servers (4.92) on the internet, most of them in United States, With the Germany and Russia to follow.

The NSA provides two IP addresses and a domain name associated with Sandworm's activity, to help organizations determine if they have been targeted by the threat factor.


Florian Roth, Nextron Systems CTO, has published a tool that can detect Sandworm activity using compliance rules and indicators (IOC) based on samples from the NSA report.

The agency says the intruders used CVE-2019-10149 to download and execute a script that allowed them to "add privileged users, disable network security settings, update SSH configurations to allow extra remote access, run an additional script to allow continuous operation. ”

Their script gave them full access to the breached servers and all the MySQL databases running on it.


Please enter your comment!
Please enter your name here

Teo Ehc
Be the limited edition.


Raspberry Pi: Computer-vision apps are enhanced with the Khronos OpenVX API

The Raspberry Pi Foundation has announced that it is bringing the OpenVX 1.3 API to Raspberry Pi devices to improve the so-called computer vision ...

EKANS ransomware: How does it target large industrial companies?

New samples of ransomware EKANS have revealed how today's online intruders use a variety of methods to endanger important industrial ...

The APT15 hacking team is linked to the Chinese government

In a report published today, the security company in the cyberspace Lookout stated that it found data that connects the malicious Android software ...

Dubai Police: Arrests hackers who attacked Greek companies!

Dubai Police: Arrests hackers who had attacked Greek companies: Raymond Igbalode Abbas, known as "Hushpuppi" and Olalekan Jacob Ponle, ...

Europe and the United States are worried about Google buying Fitbit

Pressure groups are signing a $ 2.1 million bid for Google's Fitbit health watchdog over concerns about secrecy.

Mageia Linux 8: The first alpha version has been released

Recently, Donald Stewart, creator of Mageia Linux, announced the availability of the new version of the operating system ...

Security researchers analyze the "anatomy" of an attack ransomware!

Researchers from the security technology company "Sentinel One" analyzed the "anatomy" of an attack ransomware, showing how hackers invaded a network and ...

CISA & FBI propose measures to protect against attacks through Tor!

The CISA and the FBI announced yesterday some measures that can contribute to the protection of organizations from cyber attacks that ...

Tesla: Breaks the stock market record and surpasses Toyota

Tesla shares hit red and became the most expensive car industry, beating Toyota, Disney and Coca Cola.

Hushpuppi: Hacker Raymond Abbas has been arrested for fraud

A Nigerian influencer-hacker named Raymond Abbas - appeared under the pseudonym Hushpuppi - and posted photos from his luxurious life ...