Exim servers, predicted to run just about 57% of the web’s e-mail servers, at the moment are below a heavy barrage of attacks from hacker teams seeking to exploit the latest security flaw to take over servers, ZDNet has realized.
A minimum of two hacker teams had been known wearing out attacks, one working from a public web server, and one using a server positioned at the dark web
each group is using an exploit for CVE-2019-10149, a security flaw that once disclosed on June 5.
The vulnerability, nicknamed “Return of the WIZard,” allows remotely-positioned attackers to send malicious emails to vulnerable Exim servers and run malicious code under the Exim process’ access level, which on most servers is root.
On account of the sheer number of Exim servers which are recently installed around the web — estimated at someplace among 500,000 and 5.4 million — exploitation attempts were very much expected.
In step with self-defined security enthusiast Freddie Leeman, the primary wave of attacks began on June 9, while the 1st hacker team started blasting out exploits from a command-and-control server situated at the clear web, at http://173[.]212.214.137/s.
Throughout the next days, this team evolved its attacks, converting the type of malware and scripts it might download on infected hosts; an indication that they have been still experimenting with their attack chain and hadn’t settled on specific exploit method and ultimate purpose.
However, in spite of the gang’s doubtful attack styles, those attacks were not duds, making at least a few victims.