Pierluigi Paganini March 28, 2022

The Muhstik botnet has been observed targeting Redis servers exploiting the recently disclosed CVE-2022-0543 vulnerability.

Muhstik is a botnet that is known to use web application exploits to compromise IoT devices, it has been around for at least 2018. Botnet operators monetize their efforts via XMRig combined with DDoS-for-hire services. 

The botnet leverages IRC servers for command-and-control (C2) communications, experts noticed that it has consistently used the same infrastructure since it first appeared in the threat landscape.

The bot propagates by compromising home routers, but experts observed multiple attempted exploits for Linux server propagation. The list of targeted routers include GPON home router, DD-WRT router, and the Tomato router. 

The bot includes exploits for Oracle WebLogic Server vulnerabilities CVE-2019-2725 and CVE-2017-10271, and the Drupal RCE flaw tracked as CVE-2018-7600.

Now researchers from Juniper Threat Labs observed the Muhstik botnet exploiting the CVE-2022-0543 Lua sandbox escape flaw that impacts Debian and Debian-derived Linux distributions.

“Juniper Threat Labs has uncovered an attack that targets Redis Servers using a recently disclosed vulnerability, namely CVE-2022-0543. This vulnerability exists in some Redis Debian packages. The attack started on March 11, 2022 from the same threat actor we’ve seen targeting confluence servers back in September 2021 and the same group targeting Log4j back in December.” reads the analysis published by Juniper. “The payload used is a variant of Muhstik bot that can be used to launch DDOS attacks.”

The vulnerability, which was rated 10 out of 10 for severity, could be exploited by a remote attacker with the ability to execute arbitrary Lua scripts to possibly escape the Lua sandbox and execute arbitrary code on the underlying machine.

The attacks exploiting the CVE-2022-0543 vulnerability started on March 11, 2022, the attackers were attempting to fetch the malicious script “russia.sh” using wget or curl from “106[.]246.224.219”. It saves it as “/tmp/russ” and executes it.

Experts pointed out that the vulnerability is not related to Redis, instead, it existed because the Lua library in some Debian/Ubuntu packages is provided as a dynamic library (Ubuntu Bionic and Trusty are not affected). Upon initializing the Lua interpreter, the “package” variable is automatically populated, and that in turn permitted access to arbitrary Lua functionality.  

To demonstrate this attack, the researchers set up a vulnerable Redis server and launched a proof of concept exploit code which is a Lua script that is using the “eval” command.
The researchers demonstrated that they are able to achieve code execution by dumping the contents of “/etc/passwd”.  

The researchers shared Indicators of Compromise (IoCs) for these attacks.

“We advise those who may be vulnerable to patch their Redis service.” concludes the report. “Debian and Ubuntu have also released security advisories regarding this matter. Links are below: 

• Debian Advisory 
• Ubuntu Advisory“

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Muhstik botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]