Redis servers attacked by Redigo malware
2022-12-04A new Go-based malware threat called Redigo has been targeting Redis servers are affected by CVE-2022-0543 vulnerability. It has plant a stealthy backdoor and allow command execution. Attackers continued to leverage it on unpatched machines several months after the fix came out in February this year, as proof-of-concept exploit code became publicly available.
The CVE-2022-0543 flaw is a Lua sandbox escape flaw that impacts Debian and Debian-derived Linux distributions. The vulnerability, which was rated 10 out of 10 for severity, could be exploited by a remote attacker with the ability to execute arbitrary Lua scripts to possibly escape the Lua sandbox and execute arbitrary code on the underlying machine. Juniper Threat Labs researchers reported that the Muhstik botnet has been observed targeting Redis servers exploiting the CVE-2022-0543 vulnerability.
Attacks with Redigo commence with port 6379 scans to discover exposed Redis instances, which will then be followed by the execution of several commands involving verification of the instance's vulnerability, creation of an attacking server copy, connection configurations, replication stream initiation, and module downloading from the downloaded dynamic library, according to an Aquasec report.
Host hardware information is being collected by the backdoor using its command execution capabilities prior to Redigo download and execution. While Redigo's processes following initial environment foothold remain uncertain due to attack duration limits in Aquasec honeypots, Aquasec researchers suspect that vulnerable servers may be added by the malware as a bot for distributed denial-of-service attacks and cryptocurrency mining attacks.
AquaSec researchers believe that threat actors are using the Redigo malware to infect Redis and add them to a botnet used to launch denial-of-service (DDoS) attacks, run cryptocurrency miners, or steal data from the servers.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.