An unknown risk actor has been quietly mining Monero cryptocurrency on open supply Redis servers all over the world for years, utilizing a custom-made malware variant that’s just about undetectable by agentless and traditional antivirus instruments.
Since September 2021, the risk actor has compromised no less than 1,200 Redis servers — that hundreds of principally smaller organizations use as a database or a cache — and brought full management over them. Researchers from Aqua Nautilus, who noticed the marketing campaign when an assault hit one among its honeypots, are monitoring the malware as “HeadCrab.”
Subtle, Reminiscence-Resident Malware
In a weblog put up this week, the safety vendor described HeadCrab as memory-resident malware that presents an ongoing risk to Web-connected Redis servers. Many of those servers haven’t got authentication enabled by default as a result of they’re meant to run on safe, closed networks.
Aqua’s evaluation of HeadCrab confirmed that the malware is designed to make the most of how Redis works when replicating and synchronizing knowledge saved throughout a number of nodes inside a Redis Cluster. The method includes a command that mainly permits directors to designate a server inside a Redis Cluster as a “slave” to a different “grasp” server inside the cluster. Slave servers synchronize with the grasp server and carry out quite a lot of actions, together with downloading any modules that could be current on the grasp server. Redis modules are executable recordsdata that directors can use to reinforce the performance of a Redis server.
Aqua’s researchers discovered HeadCrab exploiting this course of to load a cryptocurrency miner on Web-exposed Redis programs. With the assault on its honeypot, the risk actor, for example, used the reputable SLAVEOF Redis command to designate the Aqua honeypot because the slave of an attacker-controlled grasp Redis server. The grasp server then initiated a synchronization course of through which the risk actor downloaded a malicious Redis module containing the HeadCrab malware.
Asaf Eitani, safety researcher at Aqua, says a number of options of HeadCrab counsel a excessive diploma of sophistication and familiarity with Redis environments.
One large signal of that’s the utilization of the Redis module framework as a instrument to carry out malicious actions — on this case, downloading the malware. Additionally important is the malware’s use of the Redis API to speak with an attacker-controlled command-and-control server (C2) hosted on what seemed to be a reputable however compromised server, Eitani says.
“The malware is particularly constructed for Redis servers, because it closely depends on Redis Modules API utilization to speak with its operator,” he notes.
HeadCrab implements refined obfuscation options to stay hidden on compromised programs, executes greater than 50 actions in a totally fileless vogue, and makes use of a dynamic loader to execute binaries and evade detection. “The risk actor can be modifying the conventional habits of the Redis service to obscure its presence and to stop different risk actors from infecting the server by the identical misconfiguration he used to realize execution,” Eitani notes. “General, the malware may be very advanced and makes use of a number of strategies to realize an edge on defenders.”
The malware is optimized for cryptomining and seems custom-designed for Redis servers. Nevertheless it has built-in choices to do much more, Eitani says. As examples, he factors to HeadCrab’s skill to steal SSH keys to infiltrate different servers and probably steal knowledge and in addition its skill to load a fileless kernel module to utterly compromise a server’s kernel.
Assaf Morag, risk lead analyst at Aqua, says the corporate has not been in a position to attribute the assaults to any identified risk actor or group of actors. However he means that organizations utilizing Redis servers ought to assume a full breach in the event that they detect HeadCrab on their programs.
“Harden your environments by scanning your Redis configuration recordsdata, make sure the server requires authentication and would not permit “slaveof” instructions if not mandatory, and don’t expose the server to the Web if not mandatory,” Morag advises.
Morag says a Shodan search confirmed greater than 42,000 Redis servers linked to the Web. Of this, some 20,000 servers allowed some form of entry and might probably be contaminated by a brute-force assault or vulnerability exploit, he says.
HeadCrab is the second Redis-targeted malware that Aqua has reported in current months. In December, the safety vendor found Redigo, a Redis backdoor written within the Go language. As with HeadCrab, Aqua found the malware when risk actors put in on a susceptible Redis honeypot.
“In recent times, Redis servers have been focused by attackers, typically via misconfiguration and vulnerabilities,” based on Aqua’s weblog put up. “As Redis servers have turn into extra common, the frequency of assaults has elevated.”
Redis expressed in an announcement its help for cybersecurity researchers and mentioned it wished to acknowledge Aqua for getting the report out to the Redis group. “Their report reveals the potential risks of misconfiguring Redis,” the assertion mentioned. “We encourage all Redis customers to observe the safety steerage and greatest practices revealed inside our open supply and business documentation.”
There are not any indicators that Redis Enterprise software program or Redis Cloud providers have been impacted by the HeadCrab assaults, the assertion added.