Worm Infects Redis, Windows Servers with Cryptomining Malware

Security researchers have come across a new cryptojacking worm that infects Redis and Windows servers with cryptomining malware.

The attack, which has been dubbed RedisWannaMine by researchers from security firm Imperva, scans for misconfigured Redis deployments and Windows Servers that are still vulnerable to the Eternal Blue SMB exploit.

While investigating an attack against a web server that attempted to exploit the CVE-2017-9805 vulnerability in Apache Struts, the Imperva researchers located a command-and-control server hosting multiple attack scripts. One of those scripts was a new cryptomining downloader that exhibited worm-like behavior.

When executed, the script attempts to install a variety of packages through apt-get or yum—depending on the Linux distribution—creates entries in crontab for persistence and adds a new authorized SSH key for authentication. It then proceeds to download a tool called masscan from GitHub and compiles it.

Masscan is a high-performance TCP port scanner and is used by RedisWannaMine to scan external and internal IP addresses for Redis deployments. Redis is an in-memory data store that can be used as a database, cache or message broker. It is usually deployed on internal networks, but thousands of such servers have been found exposed on the internet in the past.

When an unprotected Redis server is discovered, the script installs cryptomining malware on it and creates crontab entries for persistence. The script then launches another scan, this time for Windows Servers that accept SMB connections.

The goal of the second scan is to find servers that are vulnerable to the Eternal Blue SMB exploit used by WannaCry, NotPetya and other malware attacks over the past year. When such a servers are identified, the script downloads and installs a different cryptomining component for Windows.

Compared to past cryptojacking attacks that primarily target servers available on the internet, RedisWannaMine also spreads laterally through local networks, making it much more dangerous to companies.

The malware “is more complex in terms of evasion techniques and capabilities,” the Imperva researchers said in a report. “It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their wallets. In a nutshell, cryptojacking attackers have upped their game and they are getting crazier by the minute!”

Cisco Fixes Critical Flaws in Secure Access Control System and Collaboration Provisioning

Cisco systems has fixed two critical vulnerabilities in its Secure Access Control System (ACS) and Prime Collaboration Provisioning (PCP) software that could allow attackers to take control of underlying machines.

ACS is a server appliance managed through a web-based interface that enforces access control policies for wireless and wired network clients using protocols such as RADIUS (Remote Access Dial In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus).

The vulnerability fixed in ACS is a Java deserialization issue that could be exploited by remote attackers to execute arbitrary commands on the appliance with root privileges. Because it can lead to a full compromise, the flaw is rated 9.8 out of 10.0 on the CVSS scale.

The vulnerability is fixed in the Cisco Secure ACS 5.8.0.32.9 Cumulative Patch and affects all previous versions. There is no known workaround, so updating is the only option to keep systems secure.

Java object deserialization is a class of bugs that came into the spotlight in 2015, when it was discovered in the Collections component of the popular Apache Commons library.

In programming languages, serialization is the process of converting data into a binary format for storing it or for sending it over the network. Deserialization is the reverse of that process and is a common operation in Java. However, if the deserialized object is the result of untrusted user input, extra checks must be used to make sure no risky classes are included in it.

For the past three years Java object deserialization flaws have been found and patched in many software projects, so this class of bugs will continue to be with us for the foreseeable future.

Cisco also released a patch for its Prime Collaboration Provisioning (PCP) to remove a hard-coded account that could be used to access the underlying Linux system over SSH. While the account doesn’t provide root privileges, there are ways to escalate to root after logging in, which is why the flaw has been rated critical. The vulnerability affects only version 11.6 of Cisco PCP and was fixed in version 12.1 and later.

The company has also fixed a high-severity credential validation bug that could allow attackers to access the FTP server in the Cisco Web Security Appliance (WSA) without a password. The flaw affects only the 10.5.x branch of AsyncOS for WSA and was fixed in version 10.5.2-042.

Featured eBook
The State of Open Source Vulnerability Management

The State of Open Source Vulnerability Management

The rise in open source usage has led to a dramatic rise in open source vulnerabilities, bringing to the fore interesting developments in open source security. The report drills down into the deeper layers of the open source phenomena and provides the latest insights on how organizations are handling vulnerabilities and what the future holds. 4 Key ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 270 posts and counting.See all posts by lucian-constantin

One thought on “Worm Infects Redis, Windows Servers with Cryptomining Malware

Comments are closed.