What is Redis?
Redis is an open source in-memory database and cache which act as a real-time applications that needed a way to deliver data to their clients faster than a relational database could handle. It allows data fetching and delivery in short response time, allowing millions of requests per seconds. Redis assures responsiveness by using a cache to store frequently accessed data in memory.
Redis client and Redis server are the two fundamental activities that make up the Redis architecture. The primary component of the system is the Redis server. Additionally, the server has a Lua scripting engine that enables users to upload and run Lua programmes right on the server. The procedure of reading and writing data from scripts is quite effective because to this capability. However, a flaw in the Lua scripting engine was found in 2022. The Lua library offered a dynamic library in some Debian packages. A package variable is loaded by the Redis server when it loads the Lua library. The package is used to call any Lua library and is kept in the Lua sandbox. This led to a Lua sandbox escape that gave an attacker the ability to run
Initial access attempts starts with the scanning of servers with port 6379 on which Redis server runs and series of commands like below are executed:
- INFO command – this command allows adversaries to receive information about our Redis server. Among the data they receive, they now know which server’s version is vulnerable to CVE-2022-0543 (As we explained earlier, the honeypot was built with this vulnerability on purpose). This information provides adversaries with the approval they would need to be able to exploit the vulnerability and allow them to start preparing the surface to exploit it.
- SLAVEOF command – this allows adversaries to create a replica of the attacking server. This action will later help them download the shared object allowing for the exploitation of the vulnerability.
- REPLCONF command – this command is used in order to configure a connection from the master (the attacking server) to the replica that just was created.
- PSYNC command – the new replica runs this command and initiates a replication stream from the master. This connection keeps the replica updated and allows the master to send a stream of commands. The attacking server that is defined as the master uses this connection to download the shared library exp_lin.so to the disk of the replica. Furthermore, this connection can use the adversaries as a backdoor, where in case of interrupts during the connection the replica is reconnects and tries to obtain the part of the stream of commands it missed during the disconnection.
- MODULE LOAD command – this allows for the loading of a module from the dynamic library downloaded at stage 4 at runtime. This library allows for exploitation of the vulnerability and runs arbitrary commands later.
- SLAVEOF NO ONE command – this turns off the replication and converts the vulnerable Redis server into a master.
“We limit the attack duration in our honeypots, and, thus, it is hard to say if we’ve seen the full scope of the impact. Based on similar attacks, we can speculate that when attackers add a targeted host to a large botnet it usually means that the compromised server will take part in a Distributed Denial of Service (DDoS) campaign against target applications and affect their business. Another plausible scenario is to run cryptominers on the targeted host. Furthermore, since this is a database, attackers can exploit the host to steal data or secrets and gain further foothold in the environment. In any case, each scenario can make an impact on the resources of the compromised server which is now used as part of a co-opted system to solve resource intensive problems that may impact its availability to the users who daily use its services.” reads the report.
Indicators of Compromise (IOCs)