Exim mail servers are being hit by a major cyber-attack

Nearly 57% of the internet’s email servers are under attack from hacker groups trying to exploit the vulnerability CVE-2019-10149.

The vulnerability named “Return of the WIZard”, allows attackers to remotely send malicious emails to vulnerable Exim services and run malicious code. Due to the vast amount of Exim servers utilised globally, it is estimated that over 3.5 million are at risk.

There appears to be two waves of attacks with the first pushing out exploits from a command and control server located on the clear web, whilst the second utilising a more sophisticated method.

Security researcher Amit Serper at Cybereason warned users about an attack utilising a cryptomining worm:

“Someone is actively exploiting vulnerable exim servers. The attackers are using that exim vuln to gain permanent root access via ssh to those exploited servers by using a script that’s uploaded to that server through that exploit.”

The attackers are downloading script from a hidden service on Tor which installs OpenSSH server if it is not already present. The script then reconfigures the OpenSSH root logins with an RSA public/ private key.

“That means that if your server was exploited, the attackers have root access to your service via public/private key pair.”

In a post by Qualys Research Labs, they wrote:

“This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for seven days (by transmitting one byte every few minutes).

“However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist.”

Cybereason wrote:

“It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm. They used hidden services on the TOR network to host their payloads and created deceiving windows icon files in an attempt to throw off researchers and even system administrators who are looking at their logs.”

It has been advised that users upgrade Exim to version 4.92 which has patched the vulnerability.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.