"Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers"

A previously unknown Go-based malware is targeting Redis servers with the intent of taking control of infected systems and likely establishing a botnet network. According to cloud security firm Aqua, the attacks involve exploiting a critical security vulnerability in the open-source, in-memory, key-value store Redigo, which was disclosed earlier this year. The vulnerability, tracked as CVE-2022-0543 and assigned a CVSS score of 10.0, is related to a case of sandbox escape in the Lua scripting engine that could be exploited to gain Remote Code Execution (RCE). This is not the first time the flaw has been actively exploited. in March 2022, Juniper Threat Labs discovered attacks carried out by the Muhstik botnet to execute arbitrary commands. The Redigo infection chain is similar in that the adversaries search for exposed Redis servers on port 6379 to gain initial access before downloading a shared library called "exp lin.so" from a remote server. This library file comes with an exploit for CVE-2022-0543 to execute a command in order to retrieve Redigo from the same server, in addition to taking steps to mask its activity by simulating legitimate Redis cluster communication over port 6379. According to Aqua researcher Nitzan Yaakov, the dropped malware mimics Redis server communication, allowing the adversaries to conceal communications between the targeted host and the command-and-control (C2) server. This article continues to discuss the exploitation of the Redis vulnerability to deploy Redigo malware on servers.

THN reports "Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers"