HQ/EMEAFind out how we can help your business
Vulnerable Redis servers are at risk of an ongoing attack campaign using previously unknown Go-lang-based malware, Redigo. Its malicious operators aim to infect vulnerable systems on Redis and build a botnet network.
Redis (Remote Dictionary Service) is an open-source in-memory data structure store utilised by users as a database, cache, and message broker. According to reports, the recent cyberattacks on Redis servers entail threat actors abusing a critical security vulnerability found earlier this year, tracked as CVE-2022-0543, to deploy the Redigo malware.
With a CVSS score of 10, the Redis vulnerability involves a case of sandbox escape in the Lua scripting engine that a malicious actor can abuse to obtain remote code execution. Analysts stated that the Redis flaw has long been abused by threat actors, including an attack campaign launched by the Muhstik botnet last March to execute arbitrary commands.
Hackers first scan for publicly exposed Redis servers to begin the infection chain.
Based on the analysis, the Redigo malware operators first scan for publicly exposed Redis servers on port 6379, where they launch and establish initial access. Then, they will download a shared library file named “exp_lin[.]so” from an attacker-controlled remote C2 server.
As explained, the shared library file comes with an exploit for the Redis flaw CVE-2022-0543, which can execute a command to retrieve the Redigo malware from the same server. Aside from these steps, the malicious actors hide their activities by simulating a legitimate Redis cluster communication in port 6379.
Once dropped on the compromised server, the Redigo malware will imitate the established Redis server communication, allowing threat actors to obfuscate communication between their remote C2 server and the targeted host.
While the main goal for these campaigns against Redis servers remains unclear, researchers suspect that the compromised hosts are planned to be utilised as a botnet network to facilitate future DDoS attacks. The threat actors could also aim to steal data from the exposed database server to commit other cyberattacks.
Redis users who believe their servers are exposed to the vulnerability must immediately patch it by upgrading to the latest fix or available versions, including redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2, redis/5:7.0~rc2-2.
