Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability

Muhstik, a botnet infamous for propagating via web application exploits, has been noticed targeting Redis servers utilizing a lately disclosed vulnerability in the databases method.

The vulnerability relates to CVE-2022-0543, a Lua sandbox escape flaw in the open-supply, in-memory, crucial-benefit knowledge retail outlet that could be abused to accomplish distant code execution on the underlying device. The vulnerability is rated 10 out of 10 for severity.

“Because of to a packaging issue, a distant attacker with the capacity to execute arbitrary Lua scripts could perhaps escape the Lua sandbox and execute arbitrary code on the host,” Ubuntu pointed out in an advisory introduced past month.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

In accordance to telemetry details collected by Juniper Threat Labs, the attacks leveraging the new flaw are mentioned to have commenced on March 11, 2022, leading to the retrieval of a destructive shell script (“russia.sh”) from a distant server, which is then utilized to fetch and execute the botnet binaries from a further server.

Very first documented by Chinese security firm Netlab 360, Muhstik is acknowledged to be energetic since March 2018 and is monetized for carrying out coin mining actions and staging distributed denial-of-company (DDoS) attacks.

Capable of self-propagating on Linux and IoT products like GPON house router, DD-WRT router, and Tomato routers, Muhstik has been noticed weaponizing a number of flaws more than the yrs –

• CVE-2017-10271 (CVSS score: 7.5) – An input validation vulnerability in the Oracle WebLogic Server part of Oracle Fusion Middleware
• CVE-2018-7600 (CVSS score: 9.8) – Drupal remote code execution vulnerability
• CVE-2019-2725 (CVSS rating: 9.8) – Oracle WebLogic Server distant code execution vulnerability
• CVE-2021-26084 (CVSS score: 9.8) – An OGNL (Item-Graph Navigation Language) injection flaw in Atlassian Confluence, and
• CVE-2021-44228 (CVSS score: 10.) – Apache Log4j distant code execution vulnerability (aka Log4Shell)

“This bot connects to an IRC server to receive instructions which incorporate the following: obtain documents, shell instructions, flood attacks, [and] SSH brute force,” Juniper Threat Labs researchers said in a report revealed very last week.

In gentle of energetic exploitation of the critical security flaw, consumers are really proposed to move promptly to patch their Redis services to the latest model.

Identified this posting exciting? Follow THN on Fb, Twitter  and LinkedIn to read much more unique content we put up.