As of last Thursday Amit Serper, Cybereason’s head of security researchers has warned about the attackers that might be exploiting the Exim flaw to gain an access control over the target Linux Server via SSH using root access.
Amit Serper have said that
“The campaign uses a private authentication key that is installed on the target machine for root authentication,”
He continued saying
“Once remote command execution is established, it deploys a port scanner to search for additional vulnerable servers to infect. It subsequently removes any existing coin miners on the target along with any defenses against coinminers before installing its own.”
How the flaw works?
However, the flaw has been resolved and patches been released in February, there still have many vulnerable servers have not resolved and patch in the real world.
Below are the stats from Shodan.io website which refer to Exim flaws
Please patch your server if you are not patching your server…
System Administrator has to update their operating system which been running in Azure Virtual Machines (VMs) based on the 16 June 2019 update.
Microsoft have said that
“As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,”