At least 1,200 Redis database servers around the world have been taken over by a dangerous and hard-to-detect threat called HeadCrab since early September 2021. According to Aqua Security researcher Asaf Eitani, this advanced threat actor uses a custom-made malware that is not detectable by traditional or agentless anti-virus solutions to compromise a large number of Redis servers. The majority of infections have been found in China, Malaysia, India, Germany, the U.K., and the U.S. The source of the threat actor is still unknown. This news comes two months after the cloud security firm revealed a Go-based malware called Redigo that was found to be targeting Redis servers. The attack is designed to target Redis servers that are exposed to the internet, followed by issuing a SLAVEOF command from another Redis server that is already under the adversary's control. The malicious Master server then synchronizes the newly hacked server to download the malicious payload, which contains the sophisticated HeadCrab malware. The attacker appears to mainly target Redis servers and has a deep understanding and expertise in Redis modules and APIs, as demonstrated by the malware. The ultimate goal of using the memory-resident malware is to hijack the system resources for cryptocurrency mining, but it also has many other options that allow the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server. Furthermore, a follow-up analysis of the Redigo malware has revealed that it is using the same master-slave technique for propagation, and not the Lua sandbox escape flaw as previously reported. To protect against this threat, users are advised to not expose Redis servers directly to the internet, disable the SLAVEOF feature if not in use, and configure the servers to only accept connections from trusted hosts. Eitani said HeadCrab will continue to use cutting-edge techniques to penetrate servers, either through exploiting misconfigurations or vulnerabilities.
This Cyber News was published on thehackernews.com. Publication date: Thu, 02 Feb 2023 10:16:03 +0000