10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
At least 1,200 Redis database servers worldwide have been corralled into a botnet using an βelusive and severe threatβ dubbed HeadCrab since early September 2021.
βThis advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers,β Aqua security researcher Asaf Eitani said in a Wednesday report.
A significant concentration of infections has been recorded in China, Malaysia, India, Germany, the U.K., and the U.S. to date. The origins of the threat actor are presently unknown.
The findings come two months after the cloud security firm shed light on a Go-based malware codenamed Redigo that has been found compromising Redis servers.
The attack is designed to target Redis servers that are exposed to the internet, followed by issuing a SLAVEOF command from another Redis server thatβs already under the adversaryβs control.
In doing so, the rogue βmasterβ server initiates a synchronization of the newly hacked server to download the malicious payload, which contains the sophisticated HeadCrab malware onto the latter.
βThe attacker seems to mainly target Redis servers and has a deep understanding and expertise in Redis modules and APIs as demonstrated by the malware,β Eitani noted.
While the ultimate end goal of using the memory-resident malware is to hijack the system resources for cryptocurrency mining, it also boasts of numerous other options that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.
Whatβs more, a follow-on analysis of the Redigo malware has revealed it to be weaponizing the same master-slave technique for proliferation, and not the Lua sandbox escape flaw (CVE-2022-0543) as previously disclosed.
Users are recommended to refrain from exposing Redis servers directly to the internet, disable the βSLAVEOFβ feature in their environments if not in use, and configure the servers to only accept connections from trusted hosts.
Eitani said βHeadCrab will persist in using cutting-edge techniques to penetrate servers, either through exploiting misconfigurations or vulnerabilities.β
Following the publication of the story, Redis shared the below statement with The Hacker News -
Redis is very supportive of the cybersecurity research community, and we want to recognize AquaSec for getting this report out to benefit the Redis community. Their report shows the potential dangers of mis-configuring Redis. We encourage all Redis users to follow the security guidance and best practices published within our open source and commercial documentation.
We should note that there are no signs that Redis Enterprise software or Redis Cloud services have been impacted by these attacks.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C