It didn’t take long for attackers to start exploiting the recently revealed Exim vulnerability (CVE-2019-10149).
Amit Serper, Cybereason’s head of security research, warned on Thursday about attackers exploiting the flaw to gain permanent root access via SSH to target Linux servers.
“The campaign uses a private authentication key that is installed on the target machine for root authentication,” he noted.
“Once remote command execution is established, it deploys a port scanner to search for additional vulnerable servers to infect. It subsequently removes any existing coin miners on the target along with any defenses against coinminers before installing its own.”