Microsoft has issued a warning to Azure customers on Friday about a Linux worm spreading via Exim servers, which has also infected some Azure installations.
The worm, first reported by ZDNet earlier this week, and later detailed in more depth by the Cybereason team, infects Exim email servers using the CVE-2019-10149 vulnerability, a security flaw that lets attackers execute remote commands and take over unpatched systems.
The worm uses the vulnerability to take over a server, then scans the internet for other servers, and attempts to infect them as well, before dropping a cryptocurrency miner on the current host.
The worm targets servers that run Exim — a mail transfer agent (MTA), which is software that runs on Linux-based email servers to relay emails from senders to recipients.
Azure infrastructure stops some parts of the worm
On Friday, Microsoft said its Azure infrastructure has been hit by this worm as well. The good news is that the Azure infrastructure “has controls in place to help limit the spread of this worm,” Microsoft said.
However, the company is still warning customers that the rest of the worm still works fine. The worm may not be able to self-spread by scanning the internet and replicating itself, but the hacked Azure machines will remain compromised, and infected with a cryptocurrency miner.
The miner will slow down infected systems, and hackers will also be able to drop other malware on Azure virtual machines at any later point, using the same Exim vulnerability.
“As this vulnerability is being actively exploited by worm activity, MSRC (Microsoft Security Response Center) urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,” said JR Aquino, Manager of Azure Incident Response.
Microsoft is urging customers to update Exim installations running on top of Azure machines to Exim 4.92, which is the patched version. Exim installations running versions 4.87 to 4.91 are vulnerable.
Azure systems that have been already infected should be wiped and users should reinstall from scratch, or restore from a previous backup.
The Cybereason blog post contains IOCs (indicators of compromise) that server owners can use to scan their Azure VMs.
Related malware and cybercrime coverage: