A sneaky botnet dubbed HeadCrab that uses bespoke malware to mine for Monero has infected at least 1,200 Redis servers in the last 18 months.
The compromised servers span the US, UK, German, India, Malaysia, China and other countries, according to Aqua Security’s Nautilus researchers, who discovered the HeadCrab malware and have now found a way to detect it.
“The victims seem to have little in common, but the attacker seems to mainly target Redis servers and has a deep understanding and expertise in Redis modules and APIs as demonstrated by the malware,” Asaf Eitani and Nitzan Yaakov reported.
Open-source Redis database servers do not have authentication switched on by default, which is something the HeadCrab attackers use to their advantage. If administrators don’t enable authentication, or ensure the servers run on a secure, closed network as opposed to being exposed to the internet, the servers are vulnerable to unauthorized access and command execution. It appears a lot of them aren’t.
Additionally, Redis clusters use master and slave servers for data replication and synchronization, which HeadCrab also takes advantage of in its attacks.
After they’ve found a server that doesn’t require authentication, the miscreants can compromise it using the default SLAVEOF command to set the victim server as a slave to an attacker-controlled Redis server. This allows them to synchronize the slave server and download the HeadCrab malware from the master server onto affected hosts.
While the security researchers don’t know who is behind the attacks, the motivation for compromising Redis servers appears to be illicit cryptocurrency mining. The Aqua team was able to extract the miner configuration file from memory, and they say it showed mining pools hosted primarily on private, legitimate IP addresses belonging to clean hosts or an unnamed “leading security company.”
Based on the attacker’s Monero wallet, Eitani and Yaakov estimate that the crooks expected an annual profit of about $4,500 per infected worker.
- For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
- Travis CI exposes free-tier users’ secrets – new claim
- Ransomware down this year – but there’s a catch
- AstraLocker ransomware reportedly closes doors to pursue cryptojacking
“We have noticed that the attacker has gone to great lengths to ensure the stealth of their attack,” the researchers noted.
This includes designing the malware to run in memory, and thus bypass volume-based scans, deleting logs using the Redis module framework and API, and communicating with a legitimate IP address (again to evade detection and reduce the likelihood of being flagged as malicious).
“Our analysis has also found that there are no detections of these binaries as malicious on Virus Total,” Eitani and Yaakov wrote, adding: “It is our conviction that HeadCrab will persist in using cutting-edge techniques to penetrate servers, either through exploiting misconfigurations or vulnerabilities.”
To protect against infections, the security researchers recommend not exposing Redis instances to the internet — or any other untrusted environment. Additionally, turn on protected more for cloud-based Redis servers, and use the bind parameter to ensure that your server will only accept communication from known hosts.
Finally, if you don’t need the “slaveof” feature, Eitani and Yaakov ” strongly advise disabling it.” ®