Table of Contents
  • Home
  • /
  • Blog
  • /
  • What is Redigo Malware? How to Protect Your Redis Server from Redigo Malware?
December 8, 2022
|
9m

What is Redigo Malware? How to Protect Your Redis Server from Redigo Malware?


What Is Redigo Malware And How To Protect Your Redis Server From Redigo Malware

Aqua Nautilus revealed a new undetected threat targeting a critical vulnerability CVE-2022-0543 discovered in the Lua scripting engine in the Redis datastore. Since the malware is written in the go language and can be capable of riding the vulnerable Redis server, Aquas research team, Nautilus, named the malware Redigo. As per the report shared, Redigo enables adversaries to take over the vulnerable Redis server and change the role of the server to act as a client to the adversaries rogue Redis server. Once the attackers establish their control on the victim Redis server, they can abuse the compromised Redis server to join their bot network to carry out distributed denial of service attacks, steal sensitive information on the compromised server, or even use the victims resources in crypto mining activities. Considering all these implications, it is good to know what is Redigo malware and how to protect your Redis server from Redigo malware.

What Is Redis?

Redis is an open-source, in-memory data store used as a database, cache, and message broker. Redis is often referred to as a NoSQL or key-value store that serves up fast access to stored data structures. It supports various data types such as strings, hashes, lists, sets, and sorted sets with range queries, bitmaps, hyperlogs, and geospatial indexes.

Redis also provides high availability via its master-slave replication feature. It allows data fetching and delivery in a short response time, allowing millions of requests per second. Redis is highly scalable and can support up to 2000+ client connections per second. It is terrifically faster than a relational database. It is often used for gaming applications, real-time analytics, leaderboards, user profiles, and session management, web page rendering, caching, and more.

Redis is written in C and is designed to be very fast and efficient with memory as well as storage. It also supports cluster mode allowing for easy horizontal scaling. With its robust feature set and performance benefits, Redis has become a popular choice among developers looking for an effective data storage solution.

Summary Of CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis

Well, the CVE-2022-0543 vulnerability was disclosed in March 2022. To give you the background once again, The issue exists in the Lua scripting engine in the Redis datastore, the scripting engine developed by Lua programming language, which can be accessed through the eval command. As per the design, the Lua engine should be sandboxed so that Redis clients can only interact with the Redis APIs, and clients shouldnt be able to execute arbitrary code on the Redis running machine.

This vulnerability is because the Lua library in some Debian/Ubuntu packages is provided as a dynamic library. When the Lua interpreter initializes, the package variable is automatically populated, and that in turn, permits access to arbitrary Lua functionality. This lets remote attackers with the ability to execute Lua scripts escape the Lua sandbox and execute arbitrary code on the host.

This is a Critical vulnerability scored 10 out of 10 in the CVSS score.

Associated CVE IDCVE-2022-0543
DescriptionA Critical Lua Sandbox Escape Vulnerability in Redis that allows attackers to perform remote code execution on the host running Redis.
Associated ZDI ID
CVSS Score10.0 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact Score6.0
Exploitability Score3.9
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

A Short Note About Redigo Malware:

This is a backdoor malware designed to target the Redis servers vulnerable to CVE-2022-0543. Redogp initially tries to scan the vulnerable Redis servers exposed to the internet on port 6379 and tries to connect and delivers the shared dynamic library exp_lin.so which helps the attackers to download the exploits, run the commands & arbitrary code, elevate the privileges, and finally steal the sensitive data, or complete takeover the Redis server. 

It is difficult to identify the malware as it operates on port 6379, which is the official Redis communication port on that Redis client-server communication happens. Once the attacker succeeds in delivering the Redigo malware, he can turn the compromised Redis server into a slave and create a command-and-control relationship between the attackers rough Redis server and the victim Redis server, which will become client post-compromise. 

This go language backdoor not just helps advisories to maintain persistence, but it also helps to join their bot network to carry out distributed denial of service attacks, steal sensitive information on the compromised server, or even use victims resources in crypto mining activities.

IOCs
P 45.41.240.51  
File NameTypeMd5
redis-1.2-SNAPSHOTBinarya755eeede56cbce460138464bf79cacd
exp_lin.soBinaryc3b9216936e2ed95dcf7bb7976455859

The Attack Flow of Redigo Malware

Lets learn the attack flow of Redis malware in different phases in this section.

Attack flow of Redigo malware (Source: Aqua)

Initial Access Phase: In the initial attack phase, advisories scan the Redis servers exposed to the internet on port 6379 and run a few commands that help advisories create the attack surface. See the list of commands it tries to execute once the victim Redis server is connected.

Commands Redigo Malware runs on the Victim Redis server (Source: Aqua)

Execution Phase: Once the dynamic library (exp_lin.so) is loaded on the victim Redis server, it executes the commands, download and run the Redigo malware and execute code that exploits the CVE-2022-0543 Vulnerability.

Information Steal: Stealing sensitive information or gathering the victims information is not a new thing. Most of the malware do this for their benefit. Redis tries to gather resource statistics such as the server, memory, and CPU of its targets.

Report to the Attacker’s Redis server: The attackers Redis servers use network port 6379 to communicate with the compromised Redis server. This makes most of the security solutions fail to identify the Redis malware.

Dont forget to read the technical details from Aqua Nautilus, the team who disclosed the Redis malware by deploying honey pot.

How to Protect Your Redis Server from Redigo Malware?

Considering its ability to cause damage, it is highly important to protect your Redis server from Redigo malware. Redigo malware is an extremely dangerous type of malware that can compromise the security of your Redis server to join their bot network to carry out distributed denial of service attacks, steal sensitive information on the compromised server, or even use the victims resources in crypto mining activities. As this malware works by exploiting the CVE-2022-0543 Vulnerability in the Redis database, it is important to take steps to protect your Redis server from Redigo malware.

Fix the CVE-2022-0543 Vulnerability on the Redis server: The first step in protecting your Redis server is to ensure that your server is up to date with the latest version of Redis. Redis versions less than equal to redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1 are said to be vulnerable to the flaw. This Vulnerability is fixed in redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2, redis/5:7.0~rc2-2 Redis server versions. Please upgrade your Redis to any of these versions. Please read more details about the CVE-2022-0543 Vulnerability to fix.

Command to check the Redis server version:

$ sudo redis-server --version

Block the unauthorized traffic and IoCs on the Firewalls: You should also consider setting up a firewall on your server to prevent unauthorized connections from outside sources on port 6379. This will help protect your server from malicious attacks and make it harder for attackers to access your data. It is highly recommended to block the IoCs captures in the analysis on the firewalls.

Hardening of Redis servers: Disabling the Redis protocol command should be done if possible. Disabling this command can help stop attackers from running undesired Redis commands such as slave of. It is important to take the Redis server off the internet. Keep it behind a secured VPN.

Scan your supply chain: Implement software supply chain audits based on 

 using tools like Chain-Bench.

Follow all the security guidelines: Dont skip any security guidelines like keeping the software up to date, deploying a strong authentication system, scanning for vulnerabilities and patching them, and implementing a good monitoring system to be alerted.

By following the steps above, you can greatly reduce the risk of your Redis server being compromised by Redigo Backdoor malware. It is important to stay vigilant and regularly update your software to ensure that your server remains secure. Taking these precautions can help protect your data from malicious attacks and make sure that it remains safe when using a Redis database.

If you want to fix the CVE-2022-0543 Vulnerability on your Redis server, upgrade your Redis server to the fixed versions. Follow these steps to upgrade your Redis server.

How to Upgrade Redis server?

Upgrade the Redis server from 5.x to new stable 6.x.

Step 1. Check the version of the Redis server on Ubuntu

Run this command to check the Redis server version:


$ sudo redis-server –version

Step 2. Add apt source repositories

Run these commands to add the official apt source:

$ sudo curl -fsSL https://packages.redis.io/gpg | sudo gpg –dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg

$ sudo echo “deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb

$(lsb_release -cs) main” | sudo tee /etc/apt/sources.list.d/redis.list

Step 3. Update apt repository and install Redis server

Run these two commands to update the apt repository and install the Redis server:

$ sudo apt update
$ sudo apt install redis

Step 4. Validate the Redis server version

Check the Redis server version again to validate the successful upgradation:

$ sudo redis-server –version

We hope this article helped in understanding what is Redigo malware and how to protect your Redis server from Redigo malware. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this. 

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe