Its has been nearly a year to the day since information about a serious vulnerability in the Exim mail transfer agent that’s included in many Linux distributions was released, and nearly a week since the NSA warned that Russian attackers are systematically exploiting the bug, but there are still several hundred thousand servers online running vulnerable versions of the MTA.
The vulnerability (CVE-2019-10149) affects several versions of Exim, from 4.87 through 4.91, and a fix has been available for the bug since June 2019. Researchers at Qualys discovered the flaw and reported it to the maintainers of Exim, who released a patched version and pushed it downstream to the Linux distributions that include the MTA. Exim runs a large portion of the mail servers online, so the target base is quite large, and almost immediately after that disclosure, attackers began exploiting the bug opportunistically. A worm designed to scan for vulnerable servers and then run an exploit to install a cryptocurrency miner.
There are two other serious flaws in Exim that were disclosed last year (CVE-2019-15846 and CVE-2019-16928), both of which can lead to remote code execution. Patches are available for both of those vulnerabilities, too, but, as with CVE-2019-10149, the updated versions have not been installed everywhere.
At the time the CVE-2019-10149 vulnerability was disclosed, there were about 3.5 million vulnerable servers and while the majority of those have been updated, data from RiskIQ shows that there are still around 900,000 vulnerable servers online every day. That number includes all of the servers that are vulnerable to any one of the three Exim flaws disclosed last year. The majority of those servers are running Exim 4.91 or 4.92. Exim 4.92.3 includes fixes for all of the vulnerabilities.
Last week, the NSA published an advisory warning that Russian threat actors known as the Sandworm team who are associated with the General Staff Main Intelligence Directorate military intelligence unit had been exploiting CVE-2019-10149 since at least August as part of a broad attack campaign.
“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA,” the NSA advisory says.
The Sandworm team is very active and highly capable, and is known to use a variety of tools in its intrusions, including the BlackEnergy malware.