A Proof-of-Concept (PoC) exploit was publicly released on March 10 for a Lua sandbox escape vulnerability. Just the next day, the Muhstik gang began to exploit the flaw to drop a botnet for DDoS operations.
Exploiting the flaw
According to a report by Juniper Threat Labs, the attackers target the vulnerability CVE-2022-0543 in Redis Debian packages, which affects both Debian and Ubuntu Linux distributions.
- The attack telemetry includes an attempt to download the main payload, named russia.sh, using wget or curl from the attacker-controlled IP address 106[.]246[.]224[.]219.
- The script, saved as /tmp/russ, further downloads and executes Linux binaries identified to be variants of the Muhstik bot.
- When installed, the bot connects to an IRC server to receive commands, which include downloading files, executing shell commands, and carrying out flood attacks and SSH brute force attacks.
Tracing back to the Muhstik gang
The Juniper report traces back the originating IP addresses of the attacks on Redis servers to past campaigns by Muhstik.
- The IP address 191[.]232[.]38[.]25, which was used in the current campaign, was also used in December 2021 by the threat actor to launch attacks on Apache Log4j (CVE-2021-44228).
- Muhstik had targeted Confluence Servers exploiting the CVE-2021-26084 vulnerability in September 2021 using the same IP address.
Recommendations
The hackers had started exploiting the vulnerability in the shortest timespan possible. Unimaginably quick! To protect against this particular attack, users are recommended to update their packages to Redis package version 5.6.0.16.-1 or follow the Debian security advisory or Ubuntu's security bulletin on the issue.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/b63b_shutterstock_1269037720.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/28dc_shutterstock_1293015925.jpg)
