Researchers at cloud security company Aqua Security are raising alarm on a newly identified backdoor targeting Redis servers.
Dubbed Redigo, the malware is written in Go and was seen being deployed in an attack that exploited a known Redis vulnerability (CVE-2022-0543, CVSS score of 10) for initial access.
Leading to remote code execution (RCE), the bug made headlines in April, when security researchers identified more than 2,000 internet-exposed servers that were potentially impacted. Patches were released in February.
The vulnerability impacts Redis because of its use of the Lua scripting engine, to enable users to load and execute Lua scripts directly on the server.
“In some Debian packages the Lua library provided a dynamic library. When the Redis server loads the Lua library, it loads a package variable. The package is left in the Lua sandbox and used to call any Lua library,” which leads to a Lua sandbox escape, Aqua explains.
Attackers scanning for internet-exposed Redis servers can execute a series of commands allowing them to identify instances vulnerable to CVE-2022-0543, and then exploit the security bug to run attacker-controlled code.
As part of the observed attacks, threat actors were dropping and executing the Redigo backdoor, which concealed its communication with the command-and-control (C&C) server to hide its presence on the machine.
Aqua has yet to determine the purpose of the Redigo attacks, but believes distributed denial-of-service (DDoS), cryptomining, data theft, and persistent access to compromised environments are the main candidates.
Because some of the backdoor’s functions are specific to Redis, the researchers believe that the attackers built and adjusted the threat to Redis servers. The malware is currently undetected by the antimalware engines in VirusTotal.
“These adversaries were using seemingly innocuous communication with the Redis protocol while building a botnet network and then converted our Redis server into a slave to execute the master’s commands. The attack was successful thanks to the vulnerability these adversaries exploited in our server,” Aqua notes.
Redis server owners are advised to apply patches as soon as possible and monitor their environments for any suspicious activity.
Related: Many Internet-Exposed Servers Affected by Exploited Redis Vulnerability
Related: 8,000 Unprotected Redis Instances Accessible From Internet
Related: Federal Agencies Instructed to Patch New Chrome Zero-Day