Monero-mining HeadCrab bots pinch 1,000+ Redis servers • The Register

A sneaky botnet dubbed HeadCrab that makes use of bespoke malware to mine for Monero has contaminated not less than 1,200 Redis servers within the final 18 months.

The compromised servers span the US, UK, German, India, Malaysia, China and different international locations, in keeping with Aqua Safety’s Nautilus researchers, who found the HeadCrab malware and have now discovered a technique to detect it.

“The victims appear to have little in frequent, however the attacker appears to primarily goal Redis servers and has a deep understanding and experience in Redis modules and APIs as demonstrated by the malware,” Asaf Eitani and Nitzan Yaakov reported.

Open-source Redis database servers wouldn’t have authentication switched on by default, which is one thing the HeadCrab attackers use to their benefit. If directors do not allow authentication, or make sure the servers run on a safe, closed community versus being uncovered to the web, the servers are susceptible to unauthorized entry and command execution. It seems quite a lot of them aren’t.

Moreover, Redis clusters use grasp and slave servers for information replication and synchronization, which HeadCrab additionally takes benefit of in its assaults. 

After they’ve discovered a server that does not require authentication, the miscreants can compromise it utilizing the default SLAVEOF command to set the sufferer server as a slave to an attacker-controlled Redis server. This enables them to synchronize the slave server and obtain the HeadCrab malware from the grasp server onto affected hosts.

Whereas the safety researchers do not know who’s behind the assaults, the motivation for compromising Redis servers seems to be illicit cryptocurrency mining. The Aqua workforce was capable of extract the miner configuration file from reminiscence, and so they say it confirmed mining swimming pools hosted totally on personal, legit IP addresses belonging to scrub hosts or an unnamed “main safety firm.”

Based mostly on the attacker’s Monero pockets, Eitani and Yaakov estimate that the crooks anticipated an annual revenue of about $4,500 per contaminated employee.

“We’ve got seen that the attacker has gone to nice lengths to make sure the stealth of their assault,” the researchers famous.

This consists of designing the malware to run in reminiscence, and thus bypass volume-based scans, deleting logs utilizing the Redis module framework and API, and speaking with a legit IP tackle (once more to evade detection and scale back the chance of being flagged as malicious).

“Our evaluation has additionally discovered that there are not any detections of those binaries as malicious on Virus Whole,” Eitani and Yaakov wrote, including: “It’s our conviction that HeadCrab will persist in utilizing cutting-edge strategies to penetrate servers, both via exploiting misconfigurations or vulnerabilities.”

To guard in opposition to infections, the safety researchers suggest not exposing Redis cases to the web — or another untrusted setting. Moreover, activate protected extra for cloud-based Redis servers, and use the bind parameter to make sure that your server will solely settle for communication from identified hosts.

Lastly, for those who do not want the “slaveof” characteristic, Eitani and Yaakov ” strongly advise disabling it.” ®