Muhstik, a botnet infamous for propagating via web software exploits, has been observed targeting Redis servers using a a short while ago disclosed vulnerability in the database procedure.
The vulnerability relates to CVE-2022-0543, a Lua sandbox escape flaw in the open up-resource, in-memory, vital-price data store that could be abused to reach remote code execution on the underlying equipment. The vulnerability is rated 10 out of 10 for severity.
“Thanks to a packaging issue, a remote attacker with the capability to execute arbitrary Lua scripts could potentially escape the Lua sandbox and execute arbitrary code on the host,” Ubuntu pointed out in an advisory produced last thirty day period.
According to telemetry information gathered by Juniper Risk Labs, the assaults leveraging the new flaw are claimed to have commenced on March 11, 2022, leading to the retrieval of a destructive shell script (“russia.sh”) from a remote server, which is then utilized to fetch and execute the botnet binaries from an additional server.
Initial documented by Chinese security business Netlab 360, Muhstik is known to be lively given that March 2018 and is monetized for carrying out coin mining functions and staging dispersed denial-of-company (DDoS) attacks.
Capable of self-propagating on Linux and IoT units like GPON residence router, DD-WRT router, and Tomato routers, Muhstik has been noticed weaponizing a range of flaws more than the decades –
- CVE-2017-10271 (CVSS score: 7.5) – An enter validation vulnerability in the Oracle WebLogic Server element of Oracle Fusion Middleware
- CVE-2018-7600 (CVSS rating: 9.8) – Drupal remote code execution vulnerability
- CVE-2019-2725 (CVSS rating: 9.8) – Oracle WebLogic Server distant code execution vulnerability
- CVE-2021-26084 (CVSS score: 9.8) – An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and
- CVE-2021-44228 (CVSS rating: 10.) – Apache Log4j distant code execution vulnerability (aka Log4Shell)
“This bot connects to an IRC server to obtain commands which consist of the next: download information, shell instructions, flood assaults, [and] SSH brute pressure,” Juniper Threat Labs researchers explained in a report posted last 7 days.
In light-weight of active exploitation of the critical security flaw, customers are hugely encouraged to go swiftly to patch their Redis services to the most recent edition.
Discovered this write-up fascinating? Stick to THN on Fb, Twitter and LinkedIn to study far more special information we put up.
Some parts of this article are sourced from:
thehackernews.com