Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Redigo: New Backdoor Targeting Redis Servers

Researchers at cloud security company Aqua Security are raising alarm on a newly identified backdoor targeting Redis servers.

Researchers at cloud security company Aqua Security are raising alarm on a newly identified backdoor targeting Redis servers.

Dubbed Redigo, the malware is written in Go and was seen being deployed in an attack that exploited a known Redis vulnerability (CVE-2022-0543, CVSS score of 10) for initial access.

Leading to remote code execution (RCE), the bug made headlines in April, when security researchers identified more than 2,000 internet-exposed servers that were potentially impacted. Patches were released in February.

The vulnerability impacts Redis because of its use of the Lua scripting engine, to enable users to load and execute Lua scripts directly on the server.

“In some Debian packages the Lua library provided a dynamic library. When the Redis server loads the Lua library, it loads a package variable. The package is left in the Lua sandbox and used to call any Lua library,” which leads to a Lua sandbox escape, Aqua explains.

Attackers scanning for internet-exposed Redis servers can execute a series of commands allowing them to identify instances vulnerable to CVE-2022-0543, and then exploit the security bug to run attacker-controlled code.

As part of the observed attacks, threat actors were dropping and executing the Redigo backdoor, which concealed its communication with the command-and-control (C&C) server to hide its presence on the machine.

Aqua has yet to determine the purpose of the Redigo attacks, but believes distributed denial-of-service (DDoS), cryptomining, data theft, and persistent access to compromised environments are the main candidates.

Advertisement. Scroll to continue reading.

Because some of the backdoor’s functions are specific to Redis, the researchers believe that the attackers built and adjusted the threat to Redis servers. The malware is currently undetected by the antimalware engines in VirusTotal.

“These adversaries were using seemingly innocuous communication with the Redis protocol while building a botnet network and then converted our Redis server into a slave to execute the master’s commands. The attack was successful thanks to the vulnerability these adversaries exploited in our server,” Aqua notes.

Redis server owners are advised to apply patches as soon as possible and monitor their environments for any suspicious activity.

Related: Many Internet-Exposed Servers Affected by Exploited Redis Vulnerability

Related: 8,000 Unprotected Redis Instances Accessible From Internet

Related: Federal Agencies Instructed to Patch New Chrome Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights