Muhstik, a botnet infamous for propagating via web application exploits, has been noticed targeting Redis servers utilizing a lately disclosed vulnerability in the databases method.
The vulnerability relates to CVE-2022-0543, a Lua sandbox escape flaw in the open-supply, in-memory, crucial-benefit knowledge retail outlet that could be abused to accomplish distant code execution on the underlying device. The vulnerability is rated 10 out of 10 for severity.
“Because of to a packaging issue, a distant attacker with the capacity to execute arbitrary Lua scripts could perhaps escape the Lua sandbox and execute arbitrary code on the host,” Ubuntu pointed out in an advisory introduced past month.
In accordance to telemetry details collected by Juniper Threat Labs, the attacks leveraging the new flaw are mentioned to have commenced on March 11, 2022, leading to the retrieval of a destructive shell script (“russia.sh”) from a distant server, which is then utilized to fetch and execute the botnet binaries from a further server.
Very first documented by Chinese security firm Netlab 360, Muhstik is acknowledged to be energetic since March 2018 and is monetized for carrying out coin mining actions and staging distributed denial-of-company (DDoS) attacks.
Capable of self-propagating on Linux and IoT products like GPON house router, DD-WRT router, and Tomato routers, Muhstik has been noticed weaponizing a number of flaws more than the yrs –
- CVE-2017-10271 (CVSS score: 7.5) – An input validation vulnerability in the Oracle WebLogic Server part of Oracle Fusion Middleware
- CVE-2018-7600 (CVSS score: 9.8) – Drupal remote code execution vulnerability
- CVE-2019-2725 (CVSS rating: 9.8) – Oracle WebLogic Server distant code execution vulnerability
- CVE-2021-26084 (CVSS score: 9.8) – An OGNL (Item-Graph Navigation Language) injection flaw in Atlassian Confluence, and
- CVE-2021-44228 (CVSS score: 10.) – Apache Log4j distant code execution vulnerability (aka Log4Shell)
“This bot connects to an IRC server to receive instructions which incorporate the following: obtain documents, shell instructions, flood attacks, [and] SSH brute force,” Juniper Threat Labs researchers said in a report revealed very last week.
In gentle of energetic exploitation of the critical security flaw, consumers are really proposed to move promptly to patch their Redis services to the latest model.
Identified this posting exciting? Follow THN on Fb, Twitter and LinkedIn to read much more unique content we put up.
Some sections of this report are sourced from: