Misconfigured Redis database servers are the goal of a novel cryptojacking marketing campaign that leverages a reliable and open supply command-line file switch service to implement its assault.
“Underpinning this marketing campaign was using switch[.]sh,” Cado Security mentioned in a report shared with The Hacker News. “It’s potential that it is an try at evading detections primarily based on different widespread code internet hosting domains (equivalent to pastebin[.]com).”
The cloud cybersecurity agency mentioned the command line interactivity related to switch[.]sh has made it a really perfect device for internet hosting and delivering malicious payloads.
The assault chain commences with concentrating on insecure Redis deployments, adopted by registering a cron job that results in arbitrary code execution when parsed by the scheduler. The job is designed to retrieve a payload hosted at switch[.]sh.
It’s price noting that related assault mechanisms have been employed by different menace actors like TeamTNT and WatchDog of their cryptojacking operations.
The payload is a script that paves the way in which for an XMRig cryptocurrency miner, however not earlier than taking preparatory steps to liberate reminiscence, terminate competing miners, and set up a community scanner utility referred to as pnscan to seek out susceptible Redis servers and propagate the an infection.
“Although it’s clear that the target of this marketing campaign is to hijack system sources for mining cryptocurrency, an infection by this malware may have unintended results,” the corporate mentioned. “Reckless configuration of Linux reminiscence administration programs may fairly simply lead to corruption of knowledge or the lack of system availability.”
The growth makes it the newest menace to strike Redis servers after Redigo and HeadCrab in current months.
The findings additionally come as Avertium disclosed a brand new set of assaults by which SSH servers are brute-forced to deploy the XorDdos botnet malware on compromised servers with the aim of launching distributed denial-of-service (DDoS) assaults in opposition to targets situated in China and the U.S.
The cybersecurity firm mentioned it noticed 1.2 million unauthorized SSH connection makes an attempt throughout 18 honeypots between October 6, 2022, and December 7, 2022. It attributed the exercise to a menace actor primarily based in China.
42% of these makes an attempt originated from 49 IP addresses assigned to ChinaWeb Jiangsu Province Network, with the remaining emanating from 8,000 IP addresses scattered everywhere in the world.
“It was discovered that after the scanning recognized an open port, it will be topic to a brute-force assault in opposition to the ‘root’ account utilizing an inventory of roughly 17,000 passwords,” Avertium mentioned. “Once the brute-force assault was profitable, a XorDDoS bot was put in.”