Headline
Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers
A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network. The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy Redigo, according to cloud security firm Aqua.
Database Security / Cyber Threat
A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network.
The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy Redigo, according to cloud security firm Aqua.
Tracked as CVE-2022-0543 (CVSS score: 10.0), the weakness pertains to a case of sandbox escape in the Lua scripting engine that could be leveraged to attain remote code execution.
This is not the first time the flaw has come under active exploitation, what with Juniper Threat Labs uncovering attacks perpetrated by the Muhstik botnet in March 2022 to execute arbitrary commands.
The Redigo infection chain is similar in that the adversaries scan for exposed Redis servers on port 6379 to establish initial access, following it up by downloading a shared library “exp_lin.so” from a remote server.
This library file comes with an exploit for CVE-2022-0543 to execute a command in order to retrieve Redigo from the same server, in addition to taking steps to mask its activity by simulating legitimate Redis cluster communication over port 6379.
“The dropped malware mimics the Redis server communication which allowed the adversaries to hide communications between the targeted host and the C2 server,” Aqua researcher Nitzan Yaakov explained.
It’s not known what the end goal of the attacks are, but it’s suspected that the compromised hosts could be co-opted into a botnet to facilitate DDoS attacks or used to steal sensitive information from the database server to further extend their reach.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect that's capable of targeting routers and IoT devices. The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, broadening its capabilities and reach. "It's highly likely that by targeting MIPS, the P2PInfect developers
The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet. "The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News. "A common attack
By Waqas Known as 'P2PInfect,' the worm exploits a critical vulnerability to infiltrate Redis instances and assimilates them into a larger P2P network, enabling it to spread rapidly. This is a post from HackRead.com Read the original post: P2PInfect: Self-Replicating Worm Hits Redis Instances
Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation. "P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. "This
At least 1,200 Redis database servers worldwide have been corralled into a botnet using an "elusive and severe threat" dubbed HeadCrab since early September 2021. "This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers," Aqua security researcher Asaf Eitani
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.