Redis Servers under Muhstik Botnet Attack using Recently Disclosed Vulnerability
Reading Time: 2 minutes

Redis servers under Muhstik botnet attacks, bad actors are using a web application to exploit the recently disclosed vulnerability in the database system. 

According to the recently disclosed CVE-2022-0543 vulnerability rated 10 out of 10 for severity, it is a Lua sandbox escape flaw in the open-source, in-memory, key-value data store. This can be abused to achieve remote code execution on the underlying machine. 

Ubuntu in an advisory last month said, “Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host.” 

Juniper Threats Labs in its telemetry data information revealed the attacks leveraging the new flaw. The attacks started on March 11, 2022, leading to the retrieval of a malicious shell script (“russia.sh”) from a remote server. This is later used to fetch and execute the botnet binaries from another server.

The Muhstik botnet was documented by Chinese security firm Netlab 360 and has been active since March 2018. The botnet is monetized to carry out coin mining activities and stage distributed denial-of-service (DDoS) attacks.

It is capable of self-propagating on Linux and IoT devices like GPON home routers, DD-WRT routers, and Tomato routers

Common Flaws Muhstik is known to exploit over the years.

  • CVE-2017-10271 (CVSS score: 7.5) – An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware
  • CVE-2018-7600 (CVSS score: 9.8) – Drupal remote code execution vulnerability
  • CVE-2019-2725 (CVSS score: 9.8) – Oracle WebLogic Server remote code execution vulnerability
  • CVE-2021-26084 (CVSS score: 9.8) – An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and
  • CVE-2021-44228 (CVSS score: 10.0) – Apache Log4j remote code execution vulnerability (aka Log4Shell)

According to Juniper Threat Labs researchers in a report published last week, “This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force.” 

Users are highly recommended to patch Redis services to the latest version in the light of active exploitation of the critical security flaw.

Related Articles:
Okta Accepts its Mistake in Handling the Lapsus$ Attack
Chatbot Scam- Cyber Criminals Sending Phishing Emails to Trace Deliveries
Russian Cyclops Blink Botnet New version targets ASUS Routers