FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
agat
Staff
Staff
Article Id 239842

Introduction

Redis or remote dictionary server is a popular open-source database and cache that operates as an in-memory database. When real-time applications need data delivery faster than relational database Redis is used for caching. Redis fetches data very quickly which allows for millions of requests per second.

 

In Feb 2022 it was discovered that due to a packaging issue some versions of Redis are prone to a Lua sandbox escape which can result in remote code execution. This vulnerability was given the CVE code CVE-2022-0543 on 28 Mar 2022[1]. In some Debian packages when Redis server loads a dynamic library provided by Lua, the package path is provided as a variable. This variable can be modified by an attacker to call any Lua library which provides scope for an attacker to execute arbitrary Lua commands.

 

On 01 Dec 2022 researchers from Aqua Nautilus[2] discovered new malware which was written in Go language and was attacking Redis servers. This attack was observed against a honeypot and the attack chain also exploited CVE-2022-0543.  The following diagram shows the attack chain used in this attack process.

 

agat_0-1671125355762.png

Figure 1 Attack chain for CVE-2022-0543 and Redigo malware

 

The purpose of this article is to demonstrate how FortiEDR is able to detect and mitigate current threats associated with this vulnerability. This article will also demonstrate what events are generated by these threats if they are observed in a FortiEDR protected environment.

 

Analysis

After gaining access to a vulnerable Redis server, threat actors involved in the campaign described by Aqua Nautilus, attempt to download a malicious ELF binary “redis-1.2-SNAPSHOT” using ‘wget’ command. Attempts to use wget to download external payloads trigger the ‘Suspicious Application – Connection Attempt from a Suspicious Application’ rule within the Exfiltration Prevention Policy and are blocked by FortiEDR. In addition to the behavioral detection the connection to IP address 45.41.240[.]51 is identified as “malware ip server” through FortiEDR’ s integrations with FortiGuard Threat Intelligence feeds. This can be observed in the figure below.

 

agat_1-1671125355771.png

Figure 2 malware download from malicious IP server is blocked by FortiEDR

 

Examining the IP address 45.41.240[.]51 in FortiGuard Central Threat Service (CTS) highlights additional information on this IP and links it to  Redigo malware. This additional information from CTS can be seen in Figure 3 below.

 

agat_2-1671125355773.png

Figure 3 CTS detected malware IP as Redigo C2

 

To observe behavior of the malware in later stages of the infection the downloaded malware was allowed to execute with FortiEDR configured in log only mode. When executed, the Redigo malware (3f24dd274e3ba7bb01a44315ee07ac803808cf52)  triggered the “Malicious File Detected” rule under the Execution Prevention policy. The executable was detected as  “Redis.A!tr”and the related event can be observed in Figure 4 below.

 

agat_3-1671125355777.png

Figure 4 FortiEDR blocked malicious Redigo file execution

 

We allowed the malware to execute further with FortiEDR in logging mode and observed the malware attempt to communicate with the previous C2 server 45.41.240[.]51. This communication was also blocked by FortiEDR, which can be seen in the figure below.

 

agat_4-1671125355781.png

Figure 5 FortiEDR blocked C2 connection of Redigo malware

 

The simple FortiEDR Threat Hunting query can be used to detect the communication to the known malicious C2 IP address associated with this Redigo campaign as shown in Figure 6 below.

 

agat_5-1671125355787.png

Figure 6 Threat Hunting query to find C2 communication associated with Redigo campaign

 

Conclusion

As highlighted in this article, FortiEDR is able to detect and mitigate the risk of current Redigo campaign targeting CVE-2022-0543. FortiEDR’s integration with FortiGuard Threat Intelligence allows it to stay ahead of these emerging threats and its behavioral detections allow it to stop such threats early in their kill chain. Despite FortiEDR’s protection its best to ensure that all software is patched as soon as possible to prevent adversaries from taking advantage of known vulnerabilities such as these.

 

Threat Hunting

Network connection to known Redigo C2 can be found using following Threat Hunting query. The query will find events of type “Socket Connect” where remote IP address matches known C2. This C2 server is associated with analyzed samples and this query would not detect future C2 server communication:

 

Type:"Socket Connect" AND RemoteIP:45.41.240.51

 

 

Network connections made to Redis default port 6379 and public IP addresses are found using following Threatt Hunting query. If there is any legitimate application on network which is making connection to public Redis server this query can produce false positive results.

 

RemotePort:6379 AND NOT(RemoteIP:[127.0.0.1 TO 127.254.254.254]) AND NOT(RemoteIP:[10.0.0.1 TO 10.255.255.255]) AND NOT(RemoteIP:[192.168.0.1 TO 192.168.254.254]) AND NOT(RemoteIP:[172.16.0.1 TO 172.31.254.254])

 

 

MITRE ATT&CK

 

TA0001 – Initial Access.

Technique ID

Technique Description

Observed Activity

T1190

Exploit Public-Facing Application

This vulnerability targets public facing endpoints hosting vulnerable versions of Redis server

 

TA0011 – Command and Control.

Technique ID

Technique Description

Observed Activity

T1571.001

Non-Standard Port

The malware tries to communicate to C2 server over Redis application port (6379)

 

IOCs

 

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

First Observed

C2 IP

45.41.240[.]51

IP Address

C2

Redigo C2

2022-12-05

Malicious Executable

3f24dd274e3ba7bb01a44315ee07ac803808cf52

SHA1 Hash

Installation

Redigo Malware Executable

2022-12-05

 

 

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-0543

[2] https://blog.aquasec.com/redigo-redis-backdoor-malware