A new type of malware, dubbed “HeadCrab”, has been discovered by Nitzan Yaakov and Asaf Eitani, researchers at Aqua Security. It is designed to target vulnerable Redis servers on the internet and has already infiltrated over a thousand servers, forming a botnet network that is utilized for Monero mining.
HeadCrab: A Quick-Spreading Malware
HeadCrab is a quick-spreading malware that operates stealthily and has already infiltrated over a thousand servers, forming a botnet network. This sophisticated group has created highly specialized custom malware, utilizing state-of-the-art techniques, to evade detection and exploit vulnerable Redis servers.
Malware Attack Flow
HeadCrab exploits the fact that there is no authentication enabled by default on Redis servers. Upon gaining access to a server without authentication, the malicious actors issue a command entitled ‘SLAVEOF’ and once the system is hijacked, the HeadCrab malware is installed and launched. HeadCrab empowers threat actors with all the abilities they need to completely take control of a targeted server and add it to their cryptomining botnet.
Profit & Redis Commands The Monero wallet linked to this botnet generated an annual profit of approximately $4,500 as a result of the attackers’ activities. These profit margins are much higher than what is usually earned by similar operations, which make $200/worker on average.
The Redis commands used by the threat actors are: rdsa, rdss, rdsp, rdsi, rdsm, rdsc, rdsr, and rdsx.
Mitigation
To mitigate the security risks associated with Redis servers and ensure the Redis configuration is aligned with the best practices of security, administrators must take steps to harden the environment. Here are some recommended steps:
- Do not allow untrusted clients to access Redis.
- Enable protected mode for enhanced security.
- Utilize the bind parameter to accept communication from familiar hosts.
- Disable the ‘slaveof’ feature if it is not actively used.
- Check the supply chain of your software to make sure everything is in order.
- Empower your developers, DevOps, and security teams to identify vulnerabilities with tools that scan for vulnerabilities and misconfiguration.
Conclusion
HeadCrab malware is a threat to Redis servers and it is important for administrators to take the necessary steps to secure their environment. By following the recommended mitigation steps, administrators can ensure that their Redis servers are used in a secure and trusted environment.