Microsoft has issued a warning to Azure customers regarding a Linux worm that spreads through Exim servers that has also infected some Azure installations.
The worm infects Exim email servers using the CVE-2019-10149 vulnerability which is a security flaw that lets attackers execute remote commands and take over unpatched systems.
The worm uses the vulnerability to get the server after which it scans the internet for other servers, and tries to infect them also before dropping a cryptocurrency miner on the current host.
The worm targets servers that run Exim software — a mail transfer agent (MTA), that runs on Linux-based email servers to relay emails from senders to recipients.
Even though Azure infrastructure has been hit by this worm, its infrastructure has controls in place to help limit the spread of this worm.
But Microsoft has still warned the customers that the rest of the worm works fine. The worm might not spread on its own by scanning the internet and replicating itself, but the hacked Azure machines will be compromised and infected with a cryptocurrency miner.
The miner slows down infected systems, and hackers can insert other malware on Azure virtual machines at a later time using the same Exim vulnerability.
This vulnerability is being actively exploited by worm activity, and so the company urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.
All the customers are requested to update Exim installations running on top of Azure machines to Exim 4.92, which is the patched version. The vulnerable Exim installations include those with versions 4.87 to 4.91.
Azure systems that have been already impacted should be wiped and must be reinstalled from scratch, or restore from a previous backup.