The attackers use an 8 year old version Redis open source database server maliciously use Metasploit’s Meterpreter module to expose exploits within a system, potentially allowing the acquisition and distribution of a variety of other malware.
This was reported by researchers at the AhnLab Security Intelligence Center (ASEC). in a blog post that attackers are likely exploiting inappropriate settings or a vulnerability present in a Redis implementation to deploy Meterpreter for nefarious uses.
“Such malware strains attack Redis Server open to the public on the Internet with the authentication feature disabled,” ASEC researcher Sanseo wrote in the post. “After gaining access to Redis, threat actors can install malware through known attack methods.”
Meterpreter is an aspect of the legitimate Metasploit pen-testing tool that allows threat actors to recover various Metasploit modules, or working exploits for known bugs, and then using them on the targeted system, according to ASEC. Metasploit is a tool similar to Cobalt Strike, which is also often abused by threat actors to carry out attacks.
“When Metasploit is installed, the threat actor can take control of the infected system and even dominate an organization’s internal network using the various features offered by the malware,” Senseo explained.
How it’s done
Redis is an open source in-memory data structure storage service that is increasingly used in various ways in cloud environments; according to ASEC, its main purpose is typically session management, message broker and queues. This increased prevalence is also making it a more popular lens for attackers, who abused vulnerable Redis servers to spread a variety of malware, including RelationshipP2PInfect, Skidmap, Migo and HeadCrab.
Using Metasploit Meterpreter, there are two main attack methods that actors can use to spread malware once they gain access to Redis. The first is to record the malware execution command as a Cron task and the other is to use the SLAVEOF command to set the command as the slave server of the Redis server that contains the malware.
ASEC witnessed an attack against a system running Windows, along with the Redis version 3.x, developed in 2016. The age of the misused platform means it “was likely vulnerable to attacks exploiting misconfigurations or hacks to known vulnerabilities,” Senseo noted.
In the attack, the threat actor first downloaded PrintSpoofer, a privilege escalation tool, into the Redis installation path. Attackers often use this tool against vulnerable services that are not managed properly or have not been updated to the recent version; in fact, ASEC has seen a flurry of these attacks against Redis starting in the second half of last year.
“The difference between past and current cases is that PrintSpoofer is installed using the CertUtil tool instead of PowerShell,” Senseo explained.
Meterpreter as a malicious backdoor
After installing PrintSpoofer, the threat actor installed Meterpreter Stager, one of two types of modules, the difference between which depends on how it is installed. Meterpreter is to the Metasploit tool what Beacon is to Cobalt Strike.
When an attacker uses Stager, it means that the installation occurs via the staged version, which downloads Meterpreter directly from the attacker’s command and control (C2) server. This reduces its footprint release by discharging it “stageless” inside a payload, according to ASEC.
Once this process is complete, Meterpreter runs in memory, allowing the threat actor to take control of the infected system and “even dominate an organization’s internal network using the various features offered by the malware,” Senseo wrote.
Update now
ASEC included in its post a list of attack files, behaviors, and indicators of compromise to help network administrators identify evidence of the threat on a system.
To avoid being compromised by the attack vector, ASEC advised administrators of environments with Redis 3.x installed to immediately update the server with available patches to ensure known vulnerabilities cannot be exploited. The best case scenario, however, would be to upgrade V3 to the latest version of the server.
Administrators should also install security protection software that limits external access to Redis Server open to the Internet so they cannot be identified and abused, ASEC advised.