In a year when security companies have been snapped up left and right, these deals stand out from the chaos.
This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.
Azure has controls in place to help limit the spread of this worm from work we’ve already done to combat SPAM, but customers using the vulnerable software would still be susceptible to infection.
Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs. As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.
There is a partial mitigation for affected systems that can filter or block network traffic via Network Security Groups (NSGs). The affected systems can mitigate Internet-based ‘wormable’ malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker’s IP Address is permitted through Network Security Groups.
It is for these reasons that we strongly advise that all affected systems – irrespective of whether NSGs are filtering traffic or not – should be updated as soon as possible.
Manager, Azure Incident Response
Microsoft Security Response Center (MSRC)
It didn’t take long for attackers to start exploiting the recently revealed Exim vulnerability (CVE-2019-10149).
One security enthusiast detected exploitation attempts five days ago:
Just detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149). Tries to downloads a script located at http://bit.ly/2WJmw1H (careful). If you run Exim, make sure it’s up-to-date. @qualys pic.twitter.com/s7veGBcKWO
— Freddie Leeman (@freddieleeman) June 9, 2019
Amit Serper, Cybereason’s head of security research, warned on Thursday about attackers exploiting the flaw to gain permanent root access via SSH to target Linux servers.
“The campaign uses a private authentication key that is installed on the target machine for root authentication,” he noted.
“Once remote command execution is established, it deploys a port scanner to search for additional vulnerable servers to infect. It subsequently removes any existing coin miners on the target along with any defenses against coinminers before installing its own.”
They also install a portscanner that “looks for additional vulnerable servers on the Internet, connects to them, and infects them with the initial script.”
What to do?
Despite the flaw having been patched in February and the security community urging admins to upgrade Exim to v4.92 or implement the patches provided for older (outdated) releases (from v4.87 to v4.91), there are still many vulnerable servers out there.
Cybereason’s latest Shodan search puts the number at 3,68 million or so – though this is just the servers that run an older Exim version and some of them may have patches implemented. Nevertheless, there are definitely too many.
If you’re servers are still vulnerable, get patching!
Cybereason has also provided some indicators of compromise that you can use to check whether you’ve been hit and have promised more information as soon as they dig it up. (Keep in mind, though, that these IoCs are just for this specific campaign and your servers might have been targeted by other attackers.)