Hackers Compromised Over 1,200 Redis Database Servers

A new type of malware, designed to target vulnerable Redis servers on the internet, has been spreading rapidly since September 2021. This is a quick-spreading malware, designed to operate stealthily, that has already infiltrated over thousand servers, forming a botnet network that has been utilized to mine Monero. Nitzan Yaakov and Asaf Eitani, researchers at Aqua Security, discovered this malware a while ago and dubbed it HeadCrab. A total of 1,200 such servers have been infected with the malware, which is also utilized to scan the internet for additional targets. This sophisticated group has circumvented traditional security measures by creating highly specialized custom malware by utilizing state-of-the-art. This made the stealthy malware more advanced which effectively evades detection, exploits, and takes control of a significant number of Redis servers that are vulnerable. There is no authentication enabled by default on Redis servers, so the threat actors behind this botnet exploit this fact to propagate their botnet. Typically these botnets are designed to operate inside an organization's network, which means that Internet access should not be allowed to the devices. It is likely that attackers will be able to compromise them using malicious tools or malware if administrators do not secure them properly. In summary, administrators must be extremely careful while configuring the local network and ensure that it cannot be accessed from outside their network. After gaining access to a server that doesn't require authentication, the malicious actors will issue a command entitled 'SLAVEOF'. Upon gaining access to a server of their choice under their control, they would be able to synchronize their master server. Once the system has been hijacked, the HeadCrab malware will be able to be installed on it. HeadCrab empowers threat actors with all the abilities that they need to completely take control of a targeted server and add it to their cryptomining botnet. While this is done as soon as it has been installed and launched. It appears that the threat actors have been focused on Redis servers since they are well-skilled in the Redis modules and APIs that have been designed for those servers. Memory-resident malware is intended with the ultimate goal of hijacking the system resources for cryptocurrency mining in the event that it is used. Besides executing shell commands, it can transmit data to remote servers and also load fileless kernel modules. To avoid detection, it also deletes all log files and communicates only with other servers that belong to its masters. It has been determined that the Monero wallet linked to this botnet generated an annual profit of approximately $4,500 as a result of the attackers' activities. Profit margins like this are much higher than what is usually earned by similar operations, which make $200/worker on average. Here below we have mentioned all the Redis commands that are used to operate the malware by the threat actor:-. Whether it's running on a virtual machine or in a container, the HeadCrab malware is designed to stealthily attack on Redis servers. Taking steps to mitigate the security risks associated with Redis servers and ensuring the Redis configuration is aligned with the best practices of security will enable you to harden the environment at the same time. In order for Redis to be used in a secure and trusted environment, do not allow untrusted clients to access it. Protected mode should be enabled for enhanced security, so make sure you enable it. Utilize the bind parameter to accept communication from hosts that you are familiar with. As a precaution, it's strongly advised you to disable the 'slaveof' feature if it is not actively used. Check the supply chain of your software to make sure that everything is in order. With tools that scan for vulnerabilities and misconfigurations, your developers, DevOps, and security teams can be empowered to identify vulnerabilities.

This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 04 Feb 2023 14:03:03 +0000


Cyber News related to Hackers Compromised Over 1,200 Redis Database Servers

CVE-2021-47100 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago
Hackers Compromised Over 1,200 Redis Database Servers - A new type of malware, designed to target vulnerable Redis servers on the internet, has been spreading rapidly since September 2021. This is a quick-spreading malware, designed to operate stealthily, that has already infiltrated over thousand ...
1 year ago Cybersecuritynews.com
New HeadCrab Malware Hijacks 1,200 Redis Servers - Since September 2021, over a thousand vulnerable Redis servers online have been infected by a stealthy malware dubbed "HeadCrab", designed to build a botnet that mines Monero cryptocurrency. At least 1,200 servers have been infected by the HeadCrab ...
1 year ago Heimdalsecurity.com
HeadCrab Malware Compromises Over 1,200 Redis Servers Worldwide New Stealthy Threat Detected - At least 1,200 Redis database servers around the world have been taken over by a dangerous and hard-to-detect threat called HeadCrab since early September 2021. According to Aqua Security researcher Asaf Eitani, this advanced threat actor uses a ...
1 year ago Thehackernews.com
Expired Redis Service Abused to Use Metasploit Meterpreter Maliciously - Attackers are using an 8-year-old version of the Redis open-source database server to maliciously use Metasploit's Meterpreter module to expose exploits within a system, potentially allowing for takeover and distribution of a host of other malware. ...
5 months ago Darkreading.com
New Migo malware disables protection features on Redis servers - Security researchers discovered a new campaign that targets Redis servers on Linux hosts using a piece of malware called 'Migo' to mine for cryptocurrency. Redis is an in-memory data structure store used as a database, cache, and message broker known ...
7 months ago Bleepingcomputer.com
HeadCrab Malware Infects 1,200 Redis Servers to Mine Monero Cryptocurrency - A new stealthy malware, HeadCrab, designed to hunt down vulnerable Redis servers online has infected over a thousand of them since September 2021. Discovered by Aqua Security researchers Nitzan Yaakov and Asaf Eitani, the malware has so far ensnared ...
1 year ago Bleepingcomputer.com
'Cryptomining Malware Infects 1,200 Redis Servers with HeadCrab Botnet' - A malicious piece of software known as HeadCrab has infiltrated at least 1,200 Redis servers around the world, according to Aqua Security. Redis servers are designed to be used on secure networks and are vulnerable to unauthorized access if exposed ...
1 year ago Securityweek.com
CVE-2024-35292 - A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 (6ES7288-1CR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU CR60 (6ES7288-1CR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA0) (All versions), SIMATIC ...
3 months ago Tenable.com
CVE-2019-13945 - A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family < V4.x (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family V4.x (incl. SIPLUS variants) (All ...
3 years ago
CVE-2021-21309 - Redis is an open-source, in-memory database that persists on disk. In affected versions of Redis an integer overflow bug in 32-bit Redis version 4.0 or newer could be exploited to corrupt the heap and potentially result with remote code execution. ...
1 year ago
Explore Redis for User Session Management on AWS Elasticache - Just as cities use various systems to keep track of their inhabitants and visitors, web applications rely on user session management to maintain a smooth experience for each person navigating through them. User session management is the mechanism by ...
8 months ago Feeds.dzone.com
CVE-2022-24735 - Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially ...
1 year ago
Major Database Security Threats and How to Prevent Them | Tripwire - Cybercriminals can also attempt to seize control of the organization’s data management system, altering privileges so they can gain database access at any time. Data loss prevention (DLP) solutions can do a lot to prevent occurrences like ...
3 days ago Tripwire.com
Database Security - In today's rapidly evolving digital landscape, marked by the ascendancy of Artificial Intelligence and the ubiquity of cloud computing, the importance of database security has never been more pronounced. Effective database security strategies not ...
8 months ago Feeds.dzone.com
Ebury botnet malware infected 400,000 Linux servers since 2009 - A malware botnet known as 'Ebury' has infected almost 400,000 Linux servers since 2009, with roughly 100,000 still compromised as of late 2023. Below are the Ebury infections logged by ESET since 2009, showing a notable growth in the volume of ...
4 months ago Bleepingcomputer.com
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
1 year ago Hackread.com
CVE-2021-32675 - Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk ...
9 months ago
400K Linux Servers Recruited by Resurrected Ebury Botnet - The Ebury botnet - which was first discovered 15 years ago - has backdoored nearly 400,000 Linux, FreeBSD, and OpenBSD servers. More than 100,000 servers were still compromised as of late 2023, according to new research from cybersecurity vendor ...
4 months ago Darkreading.com
CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
5 months ago Securityboulevard.com
Chinese Earth Krahang hackers breach 70 orgs in 23 countries - A sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat group known as 'Earth Krahang' has breached 70 organizations and targeted at least 116 across 45 countries. According to Trend Micro researchers monitoring the ...
6 months ago Bleepingcomputer.com
Stealthier version of P2Pinfect malware targets MIPS devices - The latest variants of the P2Pinfect botnet are now focusing on infecting devices with 32-bit MIPS processors, such as routers and IoT devices. Due to their efficiency and compact design, MIPS chips are prevalent in embedded systems like routers, ...
10 months ago Bleepingcomputer.com
CVE-2021-20698 - Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
1 year ago
CVE-2021-20699 - Sharp NEC Displays ((UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
1 year ago
HackerOne paid ethical hackers over $300 million in bug bounties - HackerOne has announced that its bug bounty programs have awarded over $300 million in rewards to ethical hackers and vulnerability researchers since the platform's inception. Thirty hackers have earned over a million USD for their submissions, and ...
10 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)