The CVE-2019-10149 is a Remote Code Execution flaw affecting Exim version 4.87 to 4.91. The flaw allows remote attackers to execute commands on the target machine.
After infection, the worm searches the internet for other machines to infect and initiates a crypto miner.
Now Microsoft has confirmed Azure customers are targeted by this campaign.
“This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91”
Even though Microsoft has placed new restrictions to combat spam which can limit the spread of this worm, MSRC warns Azure servers are still vulnerable to this infection.
Microsoft advised affected customers to use Network Security Groups (NSGs) to filter or block traffic to their servers. But systems are still vulnerable to flaw if the attacker’s IP Address is permitted through Network Security Groups.
“Microsoft suggests that Azure customers utilize Network Security Groups (NSGs) to filter or block traffic to their servers. Aquino warns, though, that if the NSG contains a list of IP addresses that are permitted to access the server, these IP addresses could still be used to remotely execute commands on a vulnerable server.” said in the advisory published by MSRC
So all the Azure users are advised to update Exim mail servers to version 4.92 immediately.
You may be interested in reading: New GandCrab Ransomware Campaign Targets MySQL Servers on Windows