Millions of email servers running the Exim mail transfer agent (MTA) are currently being attacked to gain permanent root access to the exploited machines. The flaw is named “The Return of the WIZard” by researchers, makes it possible for hackers to run remote commands as root on exposed servers after the hack was successful. When the flaw was first found in versions 4.87 to 4.91, a search showed that almost 5 million machines were running the vulnerable versions. New searches show that the number has been decreasing as users are starting to apply the new patch. The payload that attackers are using has been published on the dark web for anyone to use. The initial attacks were found to be carried out by professional hackers but there has been an insurgence of less than professional attackers using this free payload. The United States has the most users of Exim and has over 2 million exploitable users. Russia comes in second with close to 200,000 unpatched users.
Analyst Notes
Recommendation: Users of the Exim MTA should immediately install the version 4.92 patch which can be obtained from Exim themselves.
