An
unknown
threat
actor
has
been
quietly
mining
Monero
cryptocurrency
on
open
source
Redis
servers
around
the
world
for
years,
using
a
custom-made
malware
variant
that
is
virtually
undetectable
by
agentless
and
conventional
antivirus
tools.
Since
September
2021,
the
threat
actor
has
compromised
at
least
1,200
Redis
servers
—
that
thousands
of
mostly
smaller
organizations
use
as
a
database
or
a
cache
—
and
taken
complete
control
over
them.
Researchers
from
Aqua
Nautilus,
who
spotted
the
campaign
when
an
attack
hit
one
of
its
honeypots,
are
tracking
the
malware
as
“HeadCrab.”
Sophisticated,
Memory-Resident
Malware
In
a
blog
post
this
week,
the
security
vendor
described
HeadCrab
as
memory-resident
malware
that
presents
an
ongoing
threat
to
Internet-connected
Redis
servers.
Many
of
these
servers
don’t
have
authentication
enabled
by
default
because
they
are
meant
to
run
on
secure,
closed
networks.
Aqua’s
analysis
of
HeadCrab
showed
that
the
malware
is
designed
to
take
advantage
of
how
Redis
works
when
replicating
and
synchronizing
data
stored
across
multiple
nodes
within
a
Redis
Cluster.
The
process
involves
a
command
that
basically
allows
administrators
to
designate
a
server
within
a
Redis
Cluster
as
a
“slave”
to
another
“master”
server
within
the
cluster.
Slave
servers
synchronize
with
the
master
server
and
perform
a
variety
of
actions,
including
downloading
any
modules
that
might
be
present
on
the
master
server.
Redis
modules
are
executable
files
that
administrators
can
use
to
enhance
the
functionality
of
a
Redis
server.
Aqua’s
researchers
found
HeadCrab
exploiting
this
process
to
load
a
cryptocurrency
miner
on
Internet-exposed
Redis
systems.
With
the
attack
on
its
honeypot,
the
threat
actor,
for
instance,
used
the
legitimate
SLAVEOF
Redis
command
to
designate
the
Aqua
honeypot
as
the
slave
of
an
attacker-controlled
master
Redis
server.
The
master
server
then
initiated
a
synchronization
process
in
which
the
threat
actor
downloaded
a
malicious
Redis
module
containing
the
HeadCrab
malware.
Asaf
Eitani,
security
researcher
at
Aqua,
says
several
features
of
HeadCrab
suggest
a
high
degree
of
sophistication
and
familiarity
with
Redis
environments.
One
big
sign
of
that
is
the
usage
of
the
Redis
module
framework
as
a
tool
to
perform
malicious
actions
—
in
this
case,
downloading
the
malware.
Also
significant
is
the
malware’s
use
of
the
Redis
API
to
communicate
with
an
attacker-controlled
command-and-control
server
(C2)
hosted
on
what
appeared
to
be
a
legitimate
but
compromised
server,
Eitani
says.
“The
malware
is
specifically
built
for
Redis
servers,
as
it
heavily
relies
on
Redis
Modules
API
usage
to
communicate
with
its
operator,”
he
notes.
HeadCrab
implements
sophisticated
obfuscation
features
to
remain
hidden
on
compromised
systems,
executes
more
than
50
actions
in
a
completely
fileless
fashion,
and
uses
a
dynamic
loader
to
execute
binaries
and
evade
detection.
“The
threat
actor
is
also
modifying
the
normal
behavior
of
the
Redis
service
to
obscure
its
presence
and
to
prevent
other
threat
actors
from
infecting
the
server
by
the
same
misconfiguration
he
used
to
gain
execution,”
Eitani
notes.
“Overall,
the
malware
is
very
complex
and
uses
multiple
methods
to
achieve
an
edge
on
defenders.”
The
malware
is
optimized
for
cryptomining
and
appears
custom-designed
for
Redis
servers.
But
it
has
built-in
options
to
do
a
lot
more,
Eitani
says.
As
examples,
he
points
to
HeadCrab’s
ability
to
steal
SSH
keys
to
infiltrate
other
servers
and
potentially
steal
data
and
also
its
ability
to
load
a
fileless
kernel
module
to
completely
compromise
a
server’s
kernel.
Assaf
Morag,
threat
lead
analyst
at
Aqua,
says
the
company
has
not
been
able
to
attribute
the
attacks
to
any
known
threat
actor
or
group
of
actors.
But
he
suggests
that
organizations
using
Redis
servers
should
assume
a
full
breach
if
they
detect
HeadCrab
on
their
systems.
“Harden
your
environments
by
scanning
your
Redis
configuration
files,
ensure
the
server
requires
authentication
and
doesn’t
allow
“slaveof”
commands
if
not
necessary,
and
do
not
expose
the
server
to
the
Internet
if
not
necessary,”
Morag
advises.
Morag
says
a
Shodan
search
showed
more
than
42,000
Redis
servers
connected
to
the
Internet.
Of
this,
some
20,000
servers
allowed
some
sort
of
access
and
can
potentially
be
infected
by
a
brute-force
attack
or
vulnerability
exploit,
he
says.
HeadCrab
is
the
second
Redis-targeted
malware
that
Aqua
has
reported
in
recent
months.
In
December,
the
security
vendor
discovered
Redigo,
a
Redis
backdoor
written
in
the
Go
language.
As
with
HeadCrab,
Aqua
discovered
the
malware
when
threat
actors
installed
on
a
vulnerable
Redis
honeypot.
“In
recent
years,
Redis
servers
have
been
targeted
by
attackers,
often
through
misconfiguration
and
vulnerabilities,”
according
to
Aqua’s
blog
post.
“As
Redis
servers
have
become
more
popular,
the
frequency
of
attacks
has
increased.”
Redis
expressed
in
a
statement
its
support
for
cybersecurity
researchers
and
said
it
wanted
to
recognize
Aqua
for
getting
the
report
out
to
the
Redis
community.
“Their
report
shows
the
potential
dangers
of
misconfiguring
Redis,”
the
statement
said.
“We
encourage
all
Redis
users
to
follow
the
security
guidance
and
best
practices
published
within
our
open
source
and
commercial
documentation.”
There
are
no
signs
that
Redis
Enterprise
software
or
Redis
Cloud
services
have
been
impacted
by
the
HeadCrab
attacks,
the
statement
added.
About Author
