Home » News » Millions of unpatched Exim mail servers are now under active attack

Millions of unpatched Exim mail servers are now under active attack

Cybercriminals are now actively attacking mail servers that use Exim for their work to exploit a vulnerability recently discovered in software.

As of June 2019, Exim was set at nearly 57% (507,389) of all mail servers that were visible on the Internet (according to some data, in fact, the number of Exim installations exceeds this figure by ten times and consisted 5.4 million).

As Trojan-Killer wrote: 57% of mail-servers have critical vulnerability

This is a CVE-2019-10149 vulnerability, also known as “Return of the WIZard”, which affects Exim versions from 4.87 to 4.91. The vulnerability allows a remote/local attacker to launch commands on the mail server with superuser privileges.

According to explorer Freddie Leeman, the first wave of attacks began on June 9th.

Freddie Leeman
Freddie Leeman

“During the campaign, a certain hacker group began attacking mail servers from the C & C server located on the Internet, and in the following days began experimenting with operating methods, changing the type of malware and scripts downloaded to infected servers”, – reported on the incident Freddie Leeman.

At nearly the same time, was recorded another wave of attacks, organized by another group. According to IB experts, this campaign is more complex than the one described above and continues to evolve.

Magni R. Sigurðsson
Magni R. Sigurðsson

“The immediate objective of the current attack is to create a backdoor into the MTA servers by downloading a shell script that adds an SSH key to the root account,” – Magni R. Sigurðsson, a security researcher from Cyren told

The script itself located on a server of Tor network, making it almost impossible to find out its origin. Most hackers attack systems based on Red Hat Enterprise Linux (RHEL), Debian, openSUSE and Alpine Linux OSs.

READ  Microsoft Teams allows downloading and executing malicious files

According to information security specialists, the second campaign also uses a worm to spread the infection to other mail servers.

In addition to the backdoor, the attackers download cryptocurrency mining programs to the compromised servers.

To protect against attacks, owners of vulnerable servers are highly recommended to upgrade to the new version of Exim – 4.92.

Source: https://www.zdnet.com

[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

Smominru Botnet Quickly Spreads Quickly

Smominru botnet quickly spreads and hacks over 90 thousand computers every month

Cryptocurrency mining and identity theft botnet Smominru (also known as Ismo) began to spread incredibly …

TFlower ransomware uses RDP

Researchers say about growing activity of TFlower, another ransomware that uses RDP

According to Bleeping Computer, the activity of TFlower, a ransomware that uses RDP and is …

Leave a Reply