[MART] - Daily Diary #479 - Muhstik Botnet Exploiting Redis Servers

CTAS-MAT ctas-mat at appgate.com
Mon Mar 28 22:26:33 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

03/28/2022 - Diary entry #479:

Covered on Daily Diaries #410 and #414, Muhstik is a botnet disclosed in 2018 that was actively exploiting the Log4Shell vulnerability in December last year. Muhstik has a backdoor module that adds an SSH public key into the victim's authorized keys allowing an attacker to log remotely into the server, authenticating with the injected key.

Now, Muhstik has been spotted targeting Redis servers, exploiting another recently disclosed vulnerability. Tracked as CVE-2022-0543, it can be exploited remotely using special crafted Lua scripts to escape the Lua sandbox and execute arbitrary code. The vulnerability affects some Debian/Ubuntu packages because the Lua library used by Redis is provided as a dynamic library, allowing access to arbitrary Lua functionality.

Redis is an open-source, in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker. This vulnerability is critical and very simple to exploit, with proof of concepts already publicly available. Therefore, we recommend all systems running Redis on Debian, Ubuntu, and possibly other Debian-based distros, to patch them with Redis latest's updates.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220328/92e483b7/attachment.htm>

More information about the MART mailing list