Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Redigo: New Backdoor Targeting Redis Servers

Researchers at cloud security company Aqua Security are raising alarm on a newly identified backdoor targeting Redis servers.

Researchers at cloud security company Aqua Security are raising alarm on a newly identified backdoor targeting Redis servers.

Dubbed Redigo, the malware is written in Go and was seen being deployed in an attack that exploited a known Redis vulnerability (CVE-2022-0543, CVSS score of 10) for initial access.

Leading to remote code execution (RCE), the bug made headlines in April, when security researchers identified more than 2,000 internet-exposed servers that were potentially impacted. Patches were released in February.

The vulnerability impacts Redis because of its use of the Lua scripting engine, to enable users to load and execute Lua scripts directly on the server.

“In some Debian packages the Lua library provided a dynamic library. When the Redis server loads the Lua library, it loads a package variable. The package is left in the Lua sandbox and used to call any Lua library,” which leads to a Lua sandbox escape, Aqua explains.

Attackers scanning for internet-exposed Redis servers can execute a series of commands allowing them to identify instances vulnerable to CVE-2022-0543, and then exploit the security bug to run attacker-controlled code.

As part of the observed attacks, threat actors were dropping and executing the Redigo backdoor, which concealed its communication with the command-and-control (C&C) server to hide its presence on the machine.

Aqua has yet to determine the purpose of the Redigo attacks, but believes distributed denial-of-service (DDoS), cryptomining, data theft, and persistent access to compromised environments are the main candidates.

Because some of the backdoor’s functions are specific to Redis, the researchers believe that the attackers built and adjusted the threat to Redis servers. The malware is currently undetected by the antimalware engines in VirusTotal.

“These adversaries were using seemingly innocuous communication with the Redis protocol while building a botnet network and then converted our Redis server into a slave to execute the master’s commands. The attack was successful thanks to the vulnerability these adversaries exploited in our server,” Aqua notes.

Redis server owners are advised to apply patches as soon as possible and monitor their environments for any suspicious activity.

Related: Many Internet-Exposed Servers Affected by Exploited Redis Vulnerability

Related: 8,000 Unprotected Redis Instances Accessible From Internet

Related: Federal Agencies Instructed to Patch New Chrome Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.