Campaigns
Unseen Threat Infiltrating Redis Servers: The Migo Malware Campaign and Emerging Dangers

Unseen Threat Infiltrating Redis Servers: The Migo Malware Campaign and Emerging Dangers

Migo ThreatRedis ServersLinux MalwareCrypto Mining
In February, security researchers encountered a new malware campaign targeting Redis for initial access. The malware, dubbed Migo by developers, aims to compromise Redis servers in order to mine cryptocurrency on the underlying Linux host.

Indicators of Compromise

get.bi-chi.com
t00ls.ru

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATIONS

To remediate vulnerabilities and secure Redis servers, especially in instances where protected mode has been disabled or the server has been compromised, follow these steps:


Re-enable Protected Mode: If protected mode was disabled, re-enable it to ensure that Redis does not accept connections from untrusted networks. This is a crucial first step if the server was inadvertently exposed.


Set Strong Passwords: Implement strong, complex passwords using the requirepass directive in the Redis configuration file. Ensure that passwords are rotated regularly and are unique.


Review and Restrict Access: Examine your firewall rules and network access controls. Restrict access to the Redis server to only known, trusted IP addresses. If possible, keep the Redis server behind a VPN or internal network, away from direct internet access.


Update and Patch: Immediately update Redis to the latest version to patch known vulnerabilities. Regularly check for updates or security patches and apply them promptly.


Secure Configuration Settings: Audit the Redis configuration file for any insecure settings. Bind the server to localhost or internal interfaces, disable or rename dangerous commands using the rename-command directive, and ensure TLS/SSL encryption is enabled for data in transit.


Enable Logging and Monitoring: Set up extensive logging and real-time monitoring for the Redis server. Look for unusual patterns of access or commands that could indicate malicious activity. Implement alerting mechanisms for suspicious activities.


Perform a Security Audit: Conduct a thorough security audit of the Redis server and its environment. This should include checking for misconfigurations, assessing the effectiveness of current security measures, and identifying any potential vulnerabilities.


Network Segmentation and Isolation: Ensure that the Redis server operates within a segmented network environment, isolated from unrelated systems and services. This reduces the risk of lateral movement in case of a compromise.


Incident Response Plan: Develop and maintain an incident response plan specifically for scenarios involving the Redis server. This plan should outline steps to take in case of a security breach, including how to isolate the affected system, eradicate the threat, and recover from the incident.


Educate and Train Staff: Provide training for staff members on best practices for securing Redis servers and recognizing potential security threats. Awareness can significantly reduce the risk of accidental misconfigurations or overlooked security measures.


By diligently applying these remediation steps, you can significantly improve the security of your Redis servers, protecting them against unauthorized access and potential exploits.


Observed Countries250

AD (733)
AE (395)
AF (604)
AG (651)
AI (541)
AL (207)
AM (311)
AO (389)
AQ (347)
AR (491)
AS (342)
AT (190)
AU (360)
AW (399)
AX (355)
AZ (908)
BA (477)
BB (241)
BD (507)
BE (192)
BF (618)
BG (556)
BH (439)
BI (936)
BJ (791)
BL (371)
BM (544)
BN (266)
BO (611)
BQ (199)
BR (421)
BS (863)
BT (889)
BV (21)
BW (216)
BY (282)
BZ (314)
CA (904)
CC (337)
CD (906)
CF (521)
CG (433)
CH (748)
CI (773)
CK (759)
CL (710)
CM (643)
CN (816)
CO (857)
CR (718)
CU (985)
CV (226)
CW (630)
CX (862)
CY (288)
CZ (464)
DE (559)
DJ (544)
DK (242)
DM (257)
DO (69)
DZ (105)
EC (298)
EE (883)
EG (647)
EH (938)
ER (751)
ES (231)
ET (380)
FI (848)
FJ (300)
FK (971)
FM (151)
FO (433)
FR (412)
GA (648)
GB (815)
GD (834)
GE (139)
GF (918)
GG (939)
GH (433)
GI (546)
GL (648)
GM (685)
GN (442)
GP (878)
GQ (923)
GR (401)
GS (515)
GT (243)
GU (169)
GW (837)
GY (378)
HK (386)
HM (186)
HN (184)
HR (675)
HT (164)
HU (858)
ID (826)
IE (324)
IL (60)
IM (561)
IN (779)
IO (99)
IQ (953)
IR (757)
IS (500)
IT (897)
JE (740)
JM (801)
JO (571)
JP (442)
KE (238)
KG (377)
KH (731)
KI (879)
KM (940)
KN (499)
KP (563)
KR (841)
KW (218)
KY (34)
KZ (393)
LA (681)
LB (961)
LC (378)
LI (221)
LK (286)
LR (163)
LS (384)
LT (775)
LU (39)
LV (773)
LY (592)
MA (367)
MC (870)
MD (36)
ME (886)
MF (731)
MG (596)
MH (429)
MK (510)
ML (385)
MM (451)
MN (521)
MO (49)
MP (955)
MQ (500)
MR (58)
MS (317)
MT (299)
MU (742)
MV (951)
MW (18)
MX (220)
MY (688)
MZ (34)
NA (292)
NC (269)
NE (17)
NF (742)
NG (346)
NI (304)
NL (249)
NO (274)
NP (301)
NR (920)
NU (269)
NZ (259)
OM (136)
PA (888)
PE (463)
PF (110)
PG (641)
PH (346)
PK (187)
PL (646)
PM (435)
PN (790)
PR (919)
PS (805)
PT (191)
PW (120)
PY (624)
QA (744)
RE (344)
RO (727)
RS (23)
RU (262)
RW (714)
SA (228)
SB (961)
SC (397)
SD (373)
SE (451)
SG (810)
SH (93)
SI (558)
SJ (530)
SK (22)
SL (200)
SM (965)
SN (757)
SO (136)
SR (200)
SS (596)
ST (820)
SV (970)
SX (973)
SY (787)
SZ (974)
TC (732)
TD (253)
TF (18)
TG (792)
TH (948)
TJ (437)
TK (490)
TL (230)
TM (217)
TN (466)
TO (165)
TR (906)
TT (635)
TV (572)
TW (779)
TZ (592)
UA (777)
UG (131)
UM (336)
US (977)
UY (404)
UZ (37)
VA (460)
VC (799)
VE (527)
VG (523)
VI (960)
VN (338)
VU (673)
WF (113)
WS (599)
XK (239)
YE (704)
YT (850)
ZA (601)
ZM (893)
ZW (143)