June 30, 2022

TheCyberThrone

Thinking Security ! Always

Redis Servers A Target of Muhstik Bots

Muhstik botnet, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system. This  has a capability of exploiting Web application exploits

Tracked as  CVE-2022-0543 with CVSS score of 10 and critical severity , had a connection with  Lua sandbox escape flaw in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine.

Advertisements

A remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host , this is due to issue wrapping.

The attacks leveraging the new flaw starting  March 11, 2022, leading to the retrieval of a malicious shell script (“russia.sh”) from a remote server, which is then utilized to fetch and execute the botnet binaries from another server.

Muhstik is active since March 2018 and is monetized for carrying out coin mining activities and staging DDoS attacks. Also  capable of self-propagating on Linux and IoT devices like GPON home router, DD-WRT router, and Tomato routers.

History of Vulnerabilities Exploited by botnet

  • CVE-2017-10271  with CVSS score: 7.5
  • CVE-2018-7600 with CVSS score: 9.8
  • CVE-2019-2725 with CVSS score: 9.8
  • CVE-2021-26084 with CVSS score: 9.8
  • CVE-2021-44228 with CVSS score: 10.0

This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force.

Juniper Statement

Considering active exploitation of the critical security flaw, users are highly recommended to move quickly to patch their Redis services to the latest version.

Advertisements

Indicators of Compromise

  • 4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197
  • 46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f
  • 95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b
  • 7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3
  • 16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2
  • 28443c0a9bfd8a12c12a2aad3cc97d2e8998a9d8825fcf3643d46012f18713f0
  • 36a2ac597030f3f3425153f5933adc3ca62259c35f687fde5587b8f5466d7d54

 Download IP

  • 106[.]246.224.219
  • 160[.]16.58.163

Attacker IP

  • 104[.]236.150.159
  • 170[.]210.45.163
  • 146[.]185.136.187
  • 178[.]62.69.4
  • 191[.]232.38.25
  • 79[.]172.212.132
  • 221[.]120.103.253
%d bloggers like this: