Security professionals at Microsoft have cautioned against a new Linux worm, spreading via Exim email servers, that already affected some Azure installs.

Bad actors continue to attack cloud services in the effort of mistreating them for numerous malevolent purposes, like storing malware or applying command and control servers.

Microsoft Azure is not resistant, lately experts reported numerous attacks leveraging the platform to host tech-support scam and phishing templates.

Researchers already warned of the presence of some malware on the Microsoft Azure platform.

Microsoft, at the end of last week, warned of a new Linux worm, spreading via Exim servers, that already compromised some Azure installs.

Lately, security experts described continuing attacks targeting millions of mail servers running susceptible Exim mail transfer agent (MTA) versions. Different groups of hackers are misusing the CVE-2019-10149 fault to take over them.

The serious weakness affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The defect could be exploited by unverified remote attackers to perform random commands on mail servers for some non-default server configurations.

The CVE-2019-10149 issue resides in the deliver_message() function in /src/deliver.c and it is caused by the unsuitable authentication of recipient addresses. The fault could result in remote code implementation with root privileges on the mail server, inappropriately, the susceptibility is easily useable by a local and a distant attacker in certain non-default configurations

The CVE-2019-10149 fault was addressed the Exim’s development team with the issue of version 4.92 in February, but the flaw has affected many operating systems.

CVE-2019-10149, which was first discovered on June 5, is now being used as the vulnerability for a widespread campaign to attack exim servers and propagate across the Internet.” reads a blog post published by Cybereason.

“We are aware of an initial wave of attacks as described by Freddie Leeman on June 9, 2019. The first hacker group began pushing exploits from a C2 server located on the clear web. A second round of attacks by a different attacker are being analyzed by the Nocturnus team.”

Attackers are skimming the internet for susceptible mail servers then when they will be compromised the originally organized script will download a second script designed to check if OpenSSH is installed on the compromised machine.

In case OpenSSH is not present, it will install it and start it to gain root logins via SSH using a private/public RSA key for authentication.

Microsoft has now spotted a Linux worm that leverages the above fault in vulnerable Linux Exim email servers in a cryptojacking campaign.

Leave a Reply

Your email address will not be published. Required fields are marked *