Since early September 2021, at least 1,200 Redis database servers around the world have been ingested into a botnet using a “severe elusive threat” dubbed HeadCrab.
“This advanced threat actor is compromising a large number of Redis servers with cutting-edge, custom-made malware that is undetectable by traditional agentless antivirus solutions,” said Aqua Security Researcher. Asaf Eitani said in a report on Wednesday. .
To date, significant clusters have been recorded in China, Malaysia, India, Germany, the United Kingdom and the United States. The attacker’s origin is currently unknown.
The findings come two months after the cloud security firm shed light on a Go-based malware codenamed Redigo that was found to compromise Redis servers.
The attack is designed to target a Redis server exposed to the internet, followed by issuing a SLAVEOF command from another Redis server already under enemy control.
In doing so, the rogue “master” server initiates synchronization of the newly hacked server to download a malicious payload containing the advanced HeadCrab malware.
“The attackers appear to be primarily targeting Redis servers, and as the malware demonstrates, they have a deep understanding and expertise in Redis modules and APIs,” said Eitani.
Although the ultimate goal of using memory-resident malware is to hijack system resources for cryptocurrency mining, threat actors can execute shell commands, load fileless kernel modules, and transfer data to remote servers. It also boasts many other options that allow you to steal. server.
Additionally, subsequent analysis of the Redigo malware revealed that instead of the previously disclosed Lua sandbox escape flaw (CVE-2022-0543), it was weaponizing the same master/slave technique for distribution. rice field.
Users are advised to refrain from exposing their Redis servers directly to the internet, disable the “SLAVEOF” feature in their environment if not in use, and configure their servers to only accept connections from trusted hosts. To do.
“HeadCrab will continue to use state-of-the-art techniques to infiltrate servers, exploiting misconfigurations and vulnerabilities,” Eitani said.
