Hackers Compromised Over 1,200 Redis Database Servers Using State-of-the-Art Malware

A new type of malware, designed to target vulnerable Redis servers on the internet, has been spreading rapidly since September 2021. 

This is a quick-spreading malware, designed to operate stealthily, that has already infiltrated over thousand servers, forming a botnet network that has been utilized to mine Monero.

Nitzan Yaakov and Asaf Eitani, researchers at Aqua Security, discovered this malware a while ago and dubbed it HeadCrab. A total of 1,200 such servers have been infected with the malware, which is also utilized to scan the internet for additional targets.

This sophisticated group has circumvented traditional security measures by creating highly specialized custom malware by utilizing state-of-the-art. 

This made the stealthy malware more advanced which effectively evades detection, exploits, and takes control of a significant number of Redis servers that are vulnerable.

Malware Attack Flow

There is no authentication enabled by default on Redis servers, so the threat actors behind this botnet exploit this fact to propagate their botnet.

Typically these botnets are designed to operate inside an organization’s network, which means that Internet access should not be allowed to the devices.

It is likely that attackers will be able to compromise them using malicious tools or malware if administrators do not secure them properly. In summary, administrators must be extremely careful while configuring the local network and ensure that it cannot be accessed from outside their network.

After gaining access to a server that doesn’t require authentication, the malicious actors will issue a command entitled ‘SLAVEOF’. 

Upon gaining access to a server of their choice under their control, they would be able to synchronize their master server. Once the system has been hijacked, the HeadCrab malware will be able to be installed on it.

HeadCrab empowers threat actors with all the abilities that they need to completely take control of a targeted server and add it to their cryptomining botnet. While this is done as soon as it has been installed and launched.

It appears that the threat actors have been focused on Redis servers since they are well-skilled in the Redis modules and APIs that have been designed for those servers.

Memory-resident malware is intended with the ultimate goal of hijacking the system resources for cryptocurrency mining in the event that it is used. Besides executing shell commands, it can transmit data to remote servers and also load fileless kernel modules.

To avoid detection, it also deletes all log files and communicates only with other servers that belong to its masters.

Annual Profit & Redis Commands

It has been determined that the Monero wallet linked to this botnet generated an annual profit of approximately $4,500 as a result of the attackers’ activities.

Profit margins like this are much higher than what is usually earned by similar operations, which make $200/worker on average.

Here below we have mentioned all the Redis commands that are used to operate the malware by the threat actor:-

• rdsa
• rdss
• rdsp
• rdsi
• rdsm 
• rdsc
• rdsr
• rdsx

Whether it’s running on a virtual machine or in a container, the HeadCrab malware is designed to stealthily attack on Redis servers.

Mitigation

Taking steps to mitigate the security risks associated with Redis servers and ensuring the Redis configuration is aligned with the best practices of security will enable you to harden the environment at the same time.

• In order for Redis to be used in a secure and trusted environment, do not allow untrusted clients to access it.
• Protected mode should be enabled for enhanced security, so make sure you enable it.
• Utilize the bind parameter to accept communication from hosts that you are familiar with.
• As a precaution, it’s strongly advised you to disable the ‘slaveof’ feature if it is not actively used.
• Check the supply chain of your software to make sure that everything is in order.
• With tools that scan for vulnerabilities and misconfigurations, your developers, DevOps, and security teams can be empowered to identify vulnerabilities.

Network Security Checklist – Download Free E-Book