- Aqua Nautilus has discovered a new backdoor malware written in Golang and targets Redis servers, thus it is named Redigo.
- The malware, which is discovered in 2022, exploits a vulnerability in the Lua scripting engine to attack.
- Aqua Nautilus has detected the vulnerability after hackers launched an attack against the company’s one of the deliberately vulnerable Redis Honeypots.
Aqua Nautilus shared the details of a new Go-based malware that they have discovered. The malware targets Redis servers and an attack targeted one of Aqua Nautilus’ deliberately vulnerable Redis honeypots, with the vulnerability tracked as CVE-2022-0543.
Written in the Go language
Aqua Nautilus’ investigation discovered a new undetected malware, written in the Go language. The malware is designed to allow the attacking server to dominate the compromised Redis server. The team decided to name the vulnerability Redigo.
The malware exploits a vulnerability, which is discovered in 2022 in the Lua scripting engine. The Lua library provided a dynamic library in some Debian packages. When the server loads, it loads a package variable, which is left in the Lua sandbox and used to call any Lua library. It causes a Lua sandbox escape, allowing attackers to execute arbitrary commands.
Scanners or botnets search for exposed Redis servers on port 6379. Once connected to the Redis server, the adversaries are able to run Redis commands as follows:
- INFO command: This command allows adversaries to receive information about our Redis server. Among the data they receive, they now know which server’s version is vulnerable to CVE-2022-0543. This information provides adversaries with the approval they would need to be able to exploit the vulnerability and allow them to start preparing the surface to exploit it.
- SLAVEOF command: This allows adversaries to create a replica of the attacking server. This action will later help them download the shared object allowing for the exploitation of the vulnerability.
- REPLCONF command: This command is used in order to configure a connection from the master (the attacking server) to the replica that just was created.
- PSYNC command: The new replica runs this command and initiates a replication stream from the master. This connection keeps the replica updated and allows the master to send a stream of commands. The attacking server that is defined as the master uses this connection to download the shared library exp_lin.so to the disk of the replica. Furthermore, this connection can use the adversaries as a backdoor, where in case of interrupts during the connection the replica reconnects and tries to obtain the part of the stream of commands it missed during the disconnection.
- MODULE LOAD command: This allows for the loading of a module from the dynamic library downloaded at stage 4 at runtime. This library allows for the exploitation of the vulnerability and runs arbitrary commands later.
- SLAVEOF NO ONE command: This turns off the replication and converts the vulnerable Redis server into a master.
For command and control, the malware mimics the Redis server communication, allowing adversaries to hide communications between the targeted host and the command and control server. Once the malware is downloaded, the vulnerable Redis server becomes a client while the attacking server is now the Redis server. This change enables the adversaries to express the C2 connection between one another as the response of the attacking server will be used as commands for future attacks. It simulates a legitimate Redis cluster communication by using port 6379. Aqua Nautilus recommends:
- Unknown threats and zero-days are here to stay. Even if you do everything right you can’t always protect your runtime environments from such attacks. Thus, you need to monitor runtime environments. Deploy the Aqua Lightning Enforcer to protect your runtime environments. Runtime monitoring is a fundamental practice to help mitigate issues quickly and minimize disruptions. The monitoring process also applies to the runtime environment where suspicious activity can occur.
- Harden your environments to prevent running undesired Redis commands such as slaveof.
- Scan your supply chain. You can use open source tools such as Chain-Bench designed to audit your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
- Empower your developers, DevOps and security teams with tools that scan for vulnerabilities and misconfigurations. Along with Aqua’s tools for organizations, you can find particular open-source tools such as Trivy to scan for such vulnerabilities.
Aqua Nautilus said,
« We are standing before a new threat, backdoor malware first seen in the wild. These adversaries were using seemingly innocuous communication with the Redis protocol while building a botnet network and then converted our Redis server into a slave to execute the master’s commands. The attack was successful thanks to the vulnerability these adversaries exploited in our server. »