Source: https://cobaltstrike.net/2022/03/29/muhstik-botnet-attacks-redis-servers/
The Muhstik botnet, known for spreading through vulnerabilities in web applications, is now attacking Redis servers through a recently disclosed sandbox bypass vulnerability in Lua (CVE-2022-0543). The vulnerability received 10 out of 10 points on the hazard assessment scale and allows you to remotely execute code on a system with vulnerable software.
As reported in an Ubuntu security notice published last month, “due to problems with the package, a remote attacker with the ability to execute arbitrary Lua scripts can bypass the Lua sandbox and execute arbitrary code on the host.”
According to the telemetry data of Juniper Threat Labs, attacks using this vulnerability began on March 11, 2022. The attacks consist in extracting a malicious shell script from a remote server russia.sh, which then extracts and executes the botnet code from another server.
The Muhstik botnet, first documented by specialists of the Chinese information technology company Netlab 360, has been active since March 2018 and is used for mining cryptocurrencies and carrying out DDoS attacks.
The malware is able to spread like a worm on Linux and IoT devices like GPON, DD-WRT and Tomato home routers. Over the past few years, he has exploited the following vulnerabilities:
CVE-2017-10271 (CVSS score 7.5 points) – vulnerability of input data validation in the Oracle WebLogic Server component of the Oracle Fusion Middleware software package;
CVE-2018-7600 (CVSS score 9.8 points) – vulnerability of remote code execution in Drupal;
CVE-2019-2725 (CVSS score 9.8 points) – vulnerability of remote code execution in Oracle WebLogic Server;
CVE-2021-26084 (CVSS score 9.8 points) – OGNL (Object-Graph Navigation Language) injection vulnerability in Atlassian Confluence;
CVE-2021-44228 (CVSS score 10.0 points) – vulnerability of remote code execution in Apache Log4j (Log4Shell).
“The bot connects to the IRC server to receive commands, including downloading files, executing shell commands, carrying out DDoS attacks and SSH bruteforce,” the Juniper Threat Labs report says.
Due to the exploitation of the vulnerability CVE-2022-0543 in hacker attacks, users are strongly advised to update their Redis servers to the latest version as soon as possible.