February 20, 2024 By Bill Toulas
Security researchers discovered a new campaign that targets Redis servers on Linux hosts using a piece of malware called ‘Migo’ to mine for cryptocurrency.
Redis (Remote Dictionary Server) is an in-memory data structure store used as a database, cache, and message broker known for its high performance, serving thousands of requests per second for real-time applications in industries like gaming, technology, financial services, and healthcare.
Hackers are always looking for exposed and potentially vulnerable Redis servers to hijack resources, steal data, and other malicious purposes.
What is interesting about the new malware strain is the use of system-weakening commands that turn off Redis security features, allowing cryptojacking activities to continue for extended periods.
The Migo campaign was detected by analysts at cloud forensics provider Cado Security, who observed on their honeypots that the attackers used CLI commands to turn off protective configurations and exploit the server.
Turning off Redis shields
Upon compromising exposed Redis servers, the attackers disable critical security features to allow receiving subsequent commands and making replicas writable.
Cado says they noticed the attackers disabling the following configuration options through the Redis CLI.
- set protected-mode: disabling this allows external access to the Redis server, making it easier for an attacker to execute malicious commands remotely.
- replica-read-only: turning this off enables attackers to write directly to replicas and spread malicious payloads or data modification across a distributed Redis setup.
- aof-rewrite-incremental-fsync: disabling it can lead to heavier IO load during append-only file (AOF) rewrites, potentially aiding attackers in remaining undetected by distracting detection tools with unusual IO patterns.
- rdb-save-incremental-fsync: turning it off can cause performance degradation during RDB snapshot saves, potentially allowing attackers to cause a denial of service (DoS) or manipulate persistence behavior to their advantage.
