Advisories

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

4:25pm, 17 June 2019

TLP Rating: White

Exim mail transfer agent (MTA) vulnerability being exploited

CERT NZ is aware of a vulnerability in Exim Mail Transfer Agent (MTA) software being actively exploited by two separate groups. Exim is widely used, according to ZDNet it is thought to be running on over 50% of the mail servers on the internet.

The vulnerability, CVE-2019-10149 and nicknamed "Return of the WIZard", allows attackers to run arbitrary system commands under the Exim process' access level, which on most servers is root.

The two known exploits have been observed spreading malware, establishing backdoor access, and installing cryptocurrency miners on compromised Exim servers.

What's happening

Systems affected

The vulnerability affects versions 4.87 to 4.91 of Exim. It is being exploited by at least two separate groups.

What this means

Security researchers have identified two different hacker groups exploiting this vulnerability. The attacks are similar in nature. They are downloading scripts from the attacker’s servers, which are being run on the target system. The scripts and locations have been observed to change over time, which indicates the groups are still developing their attacks.

One of the groups has used the vulnerability to download a shell script to mail servers that adds an SSH key to the root account. This campaign also features code for a self-spreading worm component that can spread this Exim exploit to other vulnerable Exim servers. The attackers also downloaded and installed a cryptocurrency miner on compromised servers.

What to look for

How to tell if you're at risk

If you’re running versions 4.87 to 4.91 (inclusive) of the Exim mail transfer agent (MTA) software, then you are affected by this vulnerability.

How to tell if you're affected

At the time of this advisory, CERT NZ are aware of the following  indicators of compromise:

  • Look for any unfamiliar cronjobs in your crontab and remove them if they are not part of expected system operation
  • Check your firewall and access logs for the following hostnames or IP addresses:
    • 173.212.214.137
    • https://an7kmd2wp4xo7hpr.tor2web.su
    • https://an7kmd2wp4xo7hpr.tor2web.io
    • https://an7kmd2wp4xo7hpr.onion.sh

Cybereason blog including additional indicators of compromise External Link

What to do

Prevention

Make sure you are using the most recent version of Exim, 4.92.

Note that some Linux distributions have backported the fix to older versions, you will need to check your servers to ensure they have the necessary update applied.

Mitigation

Operating system controls such as SELinux or Apparmor could be used to mitigate the impact of an attack. When correctly implemented, these controls limit the resources that the Exim process has access to.

More information

ZDNet article about Return of the WIZard vulnerability and its exploits External Link

Microsoft TechNet blog about Exim implications for Azure External Link

 

If you require more information or further support, submit a report on our website or contact us on 0800 CERT NZ (0800 2378 69).

Report an incident to CERT NZ

 

For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.