New Pervasive Worm Exploiting Linux Exim Server Vulnerability (Jun 13, 2019)
A new vulnerability, CVE-2019-10149, has been identified by CyberReason that exploits Linux email servers. Discovered on June 5, the campaign seeks to gain remote command execution using an RSA key installed on the SSH server for root authentication, then deploying a port scanner to find more vulnerable servers. Once carried out, any existing coin miners are removed, and then installing a coin miners. Due to the number of vulnerable Exim servers, 3,683,029, many servers can quickly be infected.
Recommendation: Cryptocurrency malwares are becoming increasingly common amongst threat actors. Therefore, it is crucial to apply security patches when they become available because once proof-of-concept code for exploits are made available in public sources threat actors often increase their targeting of vulnerable targets.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.