Introduction
Redis or remote dictionary server is a popular open-source database and cache that operates as an in-memory database. When real-time applications need data delivery faster than relational database Redis is used for caching. Redis fetches data very quickly which allows for millions of requests per second.
In Feb 2022 it was discovered that due to a packaging issue some versions of Redis are prone to a Lua sandbox escape which can result in remote code execution. This vulnerability was given the CVE code CVE-2022-0543 on 28 Mar 2022[1]. In some Debian packages when Redis server loads a dynamic library provided by Lua, the package path is provided as a variable. This variable can be modified by an attacker to call any Lua library which provides scope for an attacker to execute arbitrary Lua commands.
On 01 Dec 2022 researchers from Aqua Nautilus[2] discovered new malware which was written in Go language and was attacking Redis servers. This attack was observed against a honeypot and the attack chain also exploited CVE-2022-0543. The following diagram shows the attack chain used in this attack process.
Figure 1 Attack chain for CVE-2022-0543 and Redigo malware
The purpose of this article is to demonstrate how FortiEDR is able to detect and mitigate current threats associated with this vulnerability. This article will also demonstrate what events are generated by these threats if they are observed in a FortiEDR protected environment.
Analysis
After gaining access to a vulnerable Redis server, threat actors involved in the campaign described by Aqua Nautilus, attempt to download a malicious ELF binary “redis-1.2-SNAPSHOT” using ‘wget’ command. Attempts to use wget to download external payloads trigger the ‘Suspicious Application – Connection Attempt from a Suspicious Application’ rule within the Exfiltration Prevention Policy and are blocked by FortiEDR. In addition to the behavioral detection the connection to IP address 45.41.240[.]51 is identified as “malware ip server” through FortiEDR’ s integrations with FortiGuard Threat Intelligence feeds. This can be observed in the figure below.
Figure 2 malware download from malicious IP server is blocked by FortiEDR
Examining the IP address 45.41.240[.]51 in FortiGuard Central Threat Service (CTS) highlights additional information on this IP and links it to Redigo malware. This additional information from CTS can be seen in Figure 3 below.
Figure 3 CTS detected malware IP as Redigo C2
To observe behavior of the malware in later stages of the infection the downloaded malware was allowed to execute with FortiEDR configured in log only mode. When executed, the Redigo malware (3f24dd274e3ba7bb01a44315ee07ac803808cf52) triggered the “Malicious File Detected” rule under the Execution Prevention policy. The executable was detected as “Redis.A!tr”and the related event can be observed in Figure 4 below.
Figure 4 FortiEDR blocked malicious Redigo file execution
We allowed the malware to execute further with FortiEDR in logging mode and observed the malware attempt to communicate with the previous C2 server 45.41.240[.]51. This communication was also blocked by FortiEDR, which can be seen in the figure below.
Figure 5 FortiEDR blocked C2 connection of Redigo malware
The simple FortiEDR Threat Hunting query can be used to detect the communication to the known malicious C2 IP address associated with this Redigo campaign as shown in Figure 6 below.
Figure 6 Threat Hunting query to find C2 communication associated with Redigo campaign
Conclusion
As highlighted in this article, FortiEDR is able to detect and mitigate the risk of current Redigo campaign targeting CVE-2022-0543. FortiEDR’s integration with FortiGuard Threat Intelligence allows it to stay ahead of these emerging threats and its behavioral detections allow it to stop such threats early in their kill chain. Despite FortiEDR’s protection its best to ensure that all software is patched as soon as possible to prevent adversaries from taking advantage of known vulnerabilities such as these.
Threat Hunting
Network connection to known Redigo C2 can be found using following Threat Hunting query. The query will find events of type “Socket Connect” where remote IP address matches known C2. This C2 server is associated with analyzed samples and this query would not detect future C2 server communication:
Type:"Socket Connect" AND RemoteIP:45.41.240.51
Network connections made to Redis default port 6379 and public IP addresses are found using following Threatt Hunting query. If there is any legitimate application on network which is making connection to public Redis server this query can produce false positive results.
RemotePort:6379 AND NOT(RemoteIP:[127.0.0.1 TO 127.254.254.254]) AND NOT(RemoteIP:[10.0.0.1 TO 10.255.255.255]) AND NOT(RemoteIP:[192.168.0.1 TO 192.168.254.254]) AND NOT(RemoteIP:[172.16.0.1 TO 172.31.254.254])
MITRE ATT&CK
TA0001 – Initial Access.
|
Technique ID |
Technique Description |
Observed Activity |
|
T1190 |
Exploit Public-Facing Application |
This vulnerability targets public facing endpoints hosting vulnerable versions of Redis server |
TA0011 – Command and Control.
|
Technique ID |
Technique Description |
Observed Activity |
|
T1571.001 |
Non-Standard Port |
The malware tries to communicate to C2 server over Redis application port (6379) |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
C2 IP |
45.41.240[.]51 |
IP Address |
C2 |
Redigo C2 |
2022-12-05 |
|
Malicious Executable |
3f24dd274e3ba7bb01a44315ee07ac803808cf52 |
SHA1 Hash |
Installation |
Redigo Malware Executable |
2022-12-05 |
