Since early September 2021, at least 1,200 Redis database servers worldwide have been linked into a botnet using a “negative and severe vulnerability”.
“This advanced threat actor uses a sophisticated, custom-built malware that is both agentless and through traditional antivirus solutions,” Aqua Security researcher Asaf Etani said in a report Wednesday. is undetectable so that a large number of Redis servers can be compromised.” .
China, Malaysia, India, Germany, the United Kingdom and the United States have so far recorded significant numbers of infections. The origin of the threat actor is currently unknown.
The findings come two months after the cloud security firm highlighted Go-based malware codenamed Redigo that was found to have compromised Redis servers.
This attack is designed to target Redis servers that are exposed to the Internet, then issue a SLAVEOF command from another Redis server that is already under the control of the adversary.
In doing so, the rogue “master” server initiates a synchronization to download a payload damaging the newly hacked server, containing the latest headcrab malware.
“The attacker primarily targets Redis servers and has a deep understanding and expertise in Redis modules and APIs as demonstrated by the malware,” Eitani noted.
While the ultimate goal of using in-memory malware is to hijack system resources for cryptocurrency mining, there are many other options that allow the attacker to execute shell commands, load fileless kernel modules, and more. , and allow data to be extracted remotely. Server
What’s more, follow-on analysis of the Redigo malware revealed that it was weaponizing the same master-slave technique for propagation, not the Lua sandbox escape flaw (CVE-2022-0543) as previously disclosed. was
Users are advised to avoid exposing Redis servers directly to the Internet, disable the “SLAVEOF” feature in their environment if not in use, and allow servers to only accept connections from trusted hosts. Set up for
“HeadCrab will continue to use advanced techniques to infiltrate servers, exploiting misconfigurations or vulnerabilities,” Eitani said.