Attackers are using an 8-year-old version of the Redis open-source database server to maliciously use Metasploit's Meterpreter module to expose exploits within a system, potentially allowing for takeover and distribution of a host of other malware.
Researchers from AhnLab Security Intelligence Center said in a blog post that attackers likely are exploiting inappropriate settings or a vulnerability present in an implementation of Redis to distribute Meterpreter for nefarious use.
Meterpreter is an aspect of the legitimate Metasploit pen-testing tool that allows threat actors to fetch various Metasploit modules, or working exploits for known bugs, and then use them on the targeted system, according to ASEC. Metasploit is a tool similar to Cobalt Strike that also is oft-abused by threat actors to execute attacks.
How It's Done Redis is an open source, in-memory data structure storage service that is increasingly being used in various ways in cloud environments; its primary purpose is typically for session management, message broker, and queues, according to ASEC. This increased prevalence also is making it a more popular target for attackers, who have abused vulnerable Redis servers to spread a host of malware, including Kinsing, P2PInfect, Skidmap, Migo, and HeadCrab.
By using Metasploit Meterpreter, there are two main attacks methods that actors can employ to spread malware once they've gained access to Redis.
One is to register the malware-executing command as a Cron task, and the other is using the SLAVEOF command to set the command as the Slave server of the Redis server that has the malware.
ASEC witnessed an attack targeting a system that used Windows, along with version Redis 3.x, which was developed in 2016.
In the attack, the threat actor first downloaded PrintSpoofer, a privilege escalation tool, in the installation path for Redis.
Attackers often use this tool against vulnerable services that are not managed properly or have not been patched to the recent version; in fact, ASEC has witnessed a flurry of these attacks against Redis since the second half of last year.
Meterpreter As Malicious Backdoor After installing PrintSpoofer, the threat actor installed Meterpreter Stager - one of two types of the module, the difference between which depends on the way it is installed.
Meterpreter is to the Metasploit tool as Beacon is to Cobalt Strike.
When an attacker uses Stager, it means the installation is via the staged version, which downloads Meterpreter directly from the attacker's command-and-control server.
Update Now ASEC included a list of files, behaviors, and indicators of compromise of the attack in its post to help network administrators identify evidence of the threat on a system.
To avoid being compromised by the attack vector, ASEC advised that administrators of environments with Redis 3.x installed should, at the very least, update the server immediately with available patches to ensure that known vulnerabilities can't be exploited.
The best-case scenario would be to update V3 to the latest version of the server.
Administrators should also install security-protection software that restricts external access to Redis servers open to the Internet so they can't be identified and abused, ASEC advised.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 11 Apr 2024 18:25:19 +0000