Go to listing page

Attackers Target Vulnerable Redis Servers to Deliver Redigo Backdoor

Attackers Target Vulnerable Redis Servers to Deliver Redigo Backdoor
Attackers are abusing a critical vulnerability in Redis software to deploy a new Go-based malware named Redigo. The vulnerability has a maximum severity rating (CVSS score: 10.0) and it is under active exploitation.

The latest discovery

According to Aqua Nautilus researchers, attackers scan for exposed Redis servers on port 6379 to establish initial access.
  • After connecting to the Redis server, attackers execute malicious arbitrary commands such as INFO, SLAVEOF, REPLCONF, PSYNC, MODULE LOAD, and SLAVEOF NO ONE and initiate their attack.
  • Once the attackers gain command execution capability, it checks the compatible Redis version, creates a copy of the attacking server, and configures the connection between the attacking server and the newly created replica.
  • Further, it initiates the replication stream and downloads a dynamic shared library from a remote server to execute the vulnerability (CVE-2022-0543) exploitation code. Lastly, it turns the replication off and secretly converts the vulnerable Redis server into the master.

Attackers use the implanted backdoor to collect hardware information about the host and then download Redigo (redis-1.2-SNAPSHOT) and execute it after escalating privileges.

Tricks to remain hidden

  • Attackers try to get familiar with and learn about the system so they can conceal their activity and avoid being detected.
  • They are using port 6379 to hide their bidirectional communication between the malware and the attacking server.
  • They change the Redis server into a master-slave relationship where the vulnerable Redis server turns into a client while the attacking server becomes the master server.

Wrapping up

Researchers speculate that attackers are aiming to take control of the infected systems and are likely building a botnet network to launch DDoS campaigns against target applications and businesses. The master-slave relationship enables attackers to exploit the host to steal data or sensitive information and gain a foothold in the environment.
Cyware Publisher

Publisher

Cyware