Priya Patel
TLDR:
- Attackers are using an 8-year-old version of Redis to maliciously use Metasploit’s Meterpreter module
- They are exploiting vulnerable Redis servers to distribute malware and take over infected systems
Attackers have been exploiting an old version of the Redis open-source database server to use Metasploit’s Meterpreter module for malicious purposes. This abuse allows them to expose vulnerabilities within a system and potentially take over and distribute various malware. The attackers target Redis servers with disabled authentication features open to the public on the Internet. They use Meterpreter, a tool associated with Metasploit, to fetch and execute known exploits on the targeted system.
Redis is an in-memory data storage service increasingly used in cloud environments, making it a popular target for attackers. Once they gain access to Redis, attackers can spread malware using Metasploit Meterpreter through different methods, such as registering malware-executing commands as Cron tasks or setting commands as Slave servers.
The attack witnessed by ASEC targeted a system using Windows with Redis 3.x, an older version developed in 2016. The attackers installed PrintSpoofer, a privilege escalation tool, using CertUtil instead of PowerShell. Following this, they installed Meterpreter Stager, allowing them to take control of the infected system and dominate the organization’s internal network.
To prevent compromise through this attack vector, ASEC recommends updating Redis servers to the latest version, ensuring patches are applied, and installing security protection software to restrict external access to Redis servers open to the Internet. By following these recommendations, organizations can mitigate the risk of falling victim to similar attacks.
