Attack Exploits Vulnerability in Half of Email MTAs Globally

by Tobias Herkula

Attacks predicted for a freshly reported email server vulnerability have come true in less than a week. If you’re an email administrator, you should be aware of the attacks this week targeting a vulnerability in the Exim MTA server code (versions 4.87 to 4.91), the objective of which is to create a backdoor that could then be exploited for almost anything, since with the backdoor in place, the attackers would then have full root access on the server. 

Attack exploits vulnerability reported just last week

Some details of this attack (including some of Cyren’s analysis) can be found in reporting published yesterday here (also German and French reporting today). The attack leverages a vulnerability found and published only last week by researchers at Qualys, described as CVE-2019-10149, as reported in ZDNet. According to the article, over half of all email servers visible on the internet run Exim. The Qualys researchers last week said they hadn’t seen anyone trying to exploit it, but they expected to see such soon--so it looks like they were correct. The vulnerability is being referred to as "The Return of the WIZard," in reference to a similar vulnerability in Sendmail in the 1990s, which led to the WIZ attacks. 

With respect to who might be behind the attack, the malicious script is hosted in the Tor network, so attribution is almost impossible. They are targeting Red Hat Enterprise Linux (RHEL), Debian, openSUSE and Alpine Linux operating systems

The hackers would most likely get access to all of a company’s email, and, depending on their goals, they might add the server to a botnet, or try to use that server to infiltrate the rest of a company’s servers and then exfiltrate data.

How the attack works

Cyren analyzed a sample and discovered that the immediate objective of the current attack is to create a backdoor into the MTA servers by downloading a shell script that adds an SSH key to the root account. The steps being followed are:

  1. The attackers send an email or just initiate a connection—technically, they only need to reach the step where the MTA asks for the recipients of the email—and in the SMTP dialog of that email the RCPT_TO field gets an email address that contains a localpart specially crafted by the attackers that exploits the Exim vulnerability. Specifically, the attack uses a RCPT_TO that looks like the below, which downloads a Shell script and directly executes it:
  2. The infected Exim version then executes that localpart in its own user context, and
  3. Since people are still running Exim as root, it will then download a shell script that will open SSH access to the MTA server via a public key to the root user

We’ll update this blog with any new information as this attack develops.


Want to learn more about cloud-based email security? Contact us here!

Go back