An unknown risk actor has been quietly mining Monero cryptocurrency on open supply Redis servers around the globe for years, utilizing a custom-made malware variant that’s nearly undetectable by agentless and traditional antivirus instruments.
Since September 2021, the risk actor has compromised at the least 1,200 Redis servers — that 1000’s of principally smaller organizations use as a database or a cache — and brought full management over them. Researchers from Aqua Nautilus, who noticed the marketing campaign when an assault hit one in every of its honeypots, are monitoring the malware as “HeadCrab.”
Sophisticated, Memory-Resident Malware
In a weblog submit this week, the safety vendor described HeadCrab as memory-resident malware that presents an ongoing risk to Internet-connected Redis servers. Many of those servers do not have authentication enabled by default as a result of they’re meant to run on safe, closed networks.
Aqua’s evaluation of HeadCrab confirmed that the malware is designed to make the most of how Redis works when replicating and synchronizing knowledge saved throughout a number of nodes inside a Redis Cluster. The course of entails a command that principally permits directors to designate a server inside a Redis Cluster as a “slave” to a different “grasp” server inside the cluster. Slave servers synchronize with the grasp server and carry out a wide range of actions, together with downloading any modules that is perhaps current on the grasp server. Redis modules are executable recordsdata that directors can use to boost the performance of a Redis server.
Aqua’s researchers discovered HeadCrab exploiting this course of to load a cryptocurrency miner on Internet-exposed Redis methods. With the assault on its honeypot, the risk actor, for example, used the reputable SLAVEOF Redis command to designate the Aqua honeypot because the slave of an attacker-controlled grasp Redis server. The grasp server then initiated a synchronization course of through which the risk actor downloaded a malicious Redis module containing the HeadCrab malware.
Asaf Eitani, safety researcher at Aqua, says a number of options of HeadCrab counsel a excessive diploma of sophistication and familiarity with Redis environments.
One large signal of that’s the utilization of the Redis module framework as a software to carry out malicious actions — on this case, downloading the malware. Also important is the malware’s use of the Redis API to speak with an attacker-controlled command-and-control server (C2) hosted on what seemed to be a reputable however compromised server, Eitani says.
“The malware is particularly constructed for Redis servers, because it closely depends on Redis Modules API utilization to speak with its operator,” he notes.
HeadCrab implements subtle obfuscation options to stay hidden on compromised methods, executes greater than 50 actions in a totally fileless trend, and makes use of a dynamic loader to execute binaries and evade detection. “The risk actor can be modifying the traditional habits of the Redis service to obscure its presence and to forestall different risk actors from infecting the server by the identical misconfiguration he used to achieve execution,” Eitani notes. “Overall, the malware may be very complicated and makes use of a number of strategies to realize an edge on defenders.”
The malware is optimized for cryptomining and seems custom-designed for Redis servers. But it has built-in choices to do much more, Eitani says. As examples, he factors to HeadCrab’s potential to steal SSH keys to infiltrate different servers and probably steal knowledge and likewise its potential to load a fileless kernel module to fully compromise a server’s kernel.
Assaf Morag, risk lead analyst at Aqua, says the corporate has not been in a position to attribute the assaults to any recognized risk actor or group of actors. But he means that organizations utilizing Redis servers ought to assume a full breach in the event that they detect HeadCrab on their methods.
“Harden your environments by scanning your Redis configuration recordsdata, make sure the server requires authentication and does not permit “slaveof” instructions if not mandatory, and don’t expose the server to the Internet if not mandatory,” Morag advises.
Morag says a Shodan search confirmed greater than 42,000 Redis servers linked to the Internet. Of this, some 20,000 servers allowed some type of entry and may probably be contaminated by a brute-force assault or vulnerability exploit, he says.
HeadCrab is the second Redis-targeted malware that Aqua has reported in latest months. In December, the safety vendor found Redigo, a Redis backdoor written within the Go language. As with HeadCrab, Aqua found the malware when risk actors put in on a susceptible Redis honeypot.
“In latest years, Redis servers have been focused by attackers, usually by way of misconfiguration and vulnerabilities,” in line with Aqua’s weblog submit. “As Redis servers have turn out to be extra fashionable, the frequency of assaults has elevated.”
Redis expressed in a press release its help for cybersecurity researchers and mentioned it needed to acknowledge Aqua for getting the report out to the Redis neighborhood. “Their report exhibits the potential risks of misconfiguring Redis,” the assertion mentioned. “We encourage all Redis customers to comply with the safety steering and finest practices revealed inside our open supply and business documentation.”
There are not any indicators that Redis Enterprise software program or Redis Cloud companies have been impacted by the HeadCrab assaults, the assertion added.