Unseen Threat Infiltrating Redis Servers: The Migo Malware Campaign and Emerging Dangers
In February, security researchers encountered a new malware campaign targeting Redis for initial access. The malware, dubbed Migo by developers, aims to compromise Redis servers in order to mine cryptocurrency on the underlying Linux host.
| Domains | Source | Last Update |
|---|---|---|
| get.bi-chi.com | SOCRadar | 2024-03-01 |
| t00ls.ru | SOCRadar | 2024-03-01 |
| Hashes | Source | Last Update |
|---|---|---|
| 364a7f8e3701a340400d77795512c18f680ee67e178880e1bb1fcda36ddbc12c | SOCRadar | 2024-03-01 |
| 2b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec | SOCRadar | 2024-03-01 |
| 8f633ade35df4f992eb28a2c5bc37cef | SOCRadar | 2024-03-01 |
| 76ecd546374b24443d76c450cb8ed7226db84681ee725482d5b9ff4ce3273c7f | SOCRadar | 2024-03-01 |
| 6b2fe529339896b22328dec8936219e7b8e3252f | SOCRadar | 2024-03-01 |
| 5dc4a48ebd4f4be7ffcf3d2c1e1ae4f2640e41ca137a58dbb33b0b249b68759e | SOCRadar | 2024-03-01 |
| 8cce669c8f9c5304b43d6e91e6332b1cf1113c81f355877dabd25198c3c3f208 | SOCRadar | 2024-03-01 |
| 32d32bf0be126e685e898d0ac21d93618f95f405c6400e1c8b0a8a72aa753933 | SOCRadar | 2024-03-01 |
| C5dc12dbb9bb51ea8acf93d6349d5bc7fe5ee11b68d6371c1bbb098e21d0f685 | SOCRadar | 2024-03-01 |
| Ipv4s | Source | Last Update |
|---|---|---|
| 157.148.45.20 | SOCRadar | 2024-03-01 |
| 183.2.143.163 | SOCRadar | 2024-03-01 |
| 11.149.252.51 | SOCRadar | 2024-03-01 |
| 103.79.118.221 | SOCRadar | 2024-03-01 |
| 11.177.125.116 | SOCRadar | 2024-03-01 |
| 11.149.252.57 | SOCRadar | 2024-03-01 |
| 11.149.252.62 | SOCRadar | 2024-03-01 |
| 120.232.65.223 | SOCRadar | 2024-03-01 |
| 11.177.124.86 | SOCRadar | 2024-03-01 |
| Cves | Source | Last Update |
|---|
| Emails | Source | Last Update |
|---|
| Domains | Insert Date |
|---|
MITIGATIONS
ATT&CK IDS:
T1543.003 - Windows Service,
T1140 - Deobfuscate/Decode Files or Information,
T1059.001 - PowerShell, T1546.015 - Component Object Model Hijacking,
T1059.003 - Windows Command Shell, T1574.002 - DLL Side-Loading
Protected mode functions as a security feature for Redis servers, intended to safeguard against accidental exposure to public networks.
Launched with Redis version 3.2.0, this feature activates when the server is set up with its default settings—binding to all network interfaces without the activation of password protection. Under protected mode, the server limits connections exclusively to the loopback interface; attempts from any other sources are met with an error message.
It's probable that during the initial phase of unauthorized access, attackers disabled this mode to facilitate the transmission of commands to the Redis server over the internet. Mitigating the risks associated with the exposure of Redis servers, particularly in the context of disabling protected mode, involves implementing a combination of best practices and security measures:
Enable Authentication: Use the requirepass configuration directive to set a strong password for accessing the Redis server. This prevents unauthorized access to the server.
Use Firewalls: Configure firewalls to restrict access to the Redis server, allowing connections only from trusted IP addresses or networks.
Bind to Specific Interfaces: Instead of binding to all network interfaces (0.0.0.0), configure Redis to bind only to specific, secure interfaces. This can significantly reduce the risk of external attacks.
Enable TLS/SSL: Encrypt data in transit by enabling TLS/SSL connections to Redis, protecting data from being intercepted by attackers.
Regular Updates: Keep the Redis server and its dependencies updated to the latest versions. This ensures that any known vulnerabilities are patched.
Monitor Access and Logs: Regularly monitor access logs for unauthorized attempts to access the Redis server. Implementing real-time alerting for suspicious activities can help in early detection of potential breaches.
Limit Commands: Use the rename-command directive in the Redis configuration file to rename or disable dangerous commands that can be exploited by attackers, such as FLUSHDB, FLUSHALL, and CONFIG.
Network Segmentation: Isolate the Redis server within a secure network segment to limit the potential impact of a breach and restrict lateral movement by attackers.
Backup and Disaster Recovery: Regularly backup Redis data and have a disaster recovery plan in place. This ensures data integrity and availability in the event of an attack.
Use Protected Mode Wisely: If for any reason protected mode must be disabled, ensure that other security measures are in place and properly configured to protect the server.
By combining these strategies, the security posture around Redis servers can be significantly enhanced, reducing the risk of exploitation and unauthorized access.
REMEDIATIONS
To remediate vulnerabilities and secure Redis servers, especially in instances where protected mode has been disabled or the server has been compromised, follow these steps:
Re-enable Protected Mode: If protected mode was disabled, re-enable it to ensure that Redis does not accept connections from untrusted networks. This is a crucial first step if the server was inadvertently exposed.
Set Strong Passwords: Implement strong, complex passwords using the requirepass directive in the Redis configuration file. Ensure that passwords are rotated regularly and are unique.
Review and Restrict Access: Examine your firewall rules and network access controls. Restrict access to the Redis server to only known, trusted IP addresses. If possible, keep the Redis server behind a VPN or internal network, away from direct internet access.
Update and Patch: Immediately update Redis to the latest version to patch known vulnerabilities. Regularly check for updates or security patches and apply them promptly.
Secure Configuration Settings: Audit the Redis configuration file for any insecure settings. Bind the server to localhost or internal interfaces, disable or rename dangerous commands using the rename-command directive, and ensure TLS/SSL encryption is enabled for data in transit.
Enable Logging and Monitoring: Set up extensive logging and real-time monitoring for the Redis server. Look for unusual patterns of access or commands that could indicate malicious activity. Implement alerting mechanisms for suspicious activities.
Perform a Security Audit: Conduct a thorough security audit of the Redis server and its environment. This should include checking for misconfigurations, assessing the effectiveness of current security measures, and identifying any potential vulnerabilities.
Network Segmentation and Isolation: Ensure that the Redis server operates within a segmented network environment, isolated from unrelated systems and services. This reduces the risk of lateral movement in case of a compromise.
Incident Response Plan: Develop and maintain an incident response plan specifically for scenarios involving the Redis server. This plan should outline steps to take in case of a security breach, including how to isolate the affected system, eradicate the threat, and recover from the incident.
Educate and Train Staff: Provide training for staff members on best practices for securing Redis servers and recognizing potential security threats. Awareness can significantly reduce the risk of accidental misconfigurations or overlooked security measures.
By diligently applying these remediation steps, you can significantly improve the security of your Redis servers, protecting them against unauthorized access and potential exploits.
CONCLUSIONS
The Migo malware campaign represents a significant evolution in cyber threats targeting cloud-based services and Redis servers. By employing sophisticated tactics such as novel system weakening commands, compile-time obfuscation, and the use of a user-mode rootkit, attackers have demonstrated an increasing sophistication in their approaches to bypass security measures and facilitate unauthorized cryptocurrency mining.
This campaign underscores the critical need for organizations to adopt advanced cybersecurity solutions that can detect and mitigate such complex threats. SOCRadar offers a comprehensive cybersecurity platform that can significantly benefit organizations looking to protect their systems against such advanced threats. Specifically, the Threat Intelligence module within the SOCRadar Platform is invaluable for organizations seeking to stay ahead of emerging threats like the Migo malware.
The Threat Intelligence module provides real-time insights and actionable intelligence on the latest cyber threats, enabling organizations to proactively identify and respond to potential vulnerabilities in their systems. By leveraging this module, organizations can gain a deeper understanding of the tactics, techniques, and procedures (TTPs) used by attackers, such as those behind the Migo campaign. This knowledge allows for the implementation of targeted security measures to prevent initial access and ensure the resilience of critical systems against sophisticated attacks.
Moreover, SOCRadar's comprehensive approach to cybersecurity, encompassing early detection, detailed threat analysis, and proactive mitigation recommendations, makes it an essential tool in the arsenal of any organization aiming to protect itself from the ever-evolving landscape of cyber threats. In the face of campaigns like Migo, which seek to exploit web-facing services and employ advanced evasion techniques, the intelligence and insights provided by SOCRadar's Threat Intelligence module are more crucial than ever.
In conclusion, the Migo malware campaign highlights the necessity for robust, intelligence-driven cybersecurity solutions. SOCRadar's Threat Intelligence module stands out as a powerful resource for organizations aiming to navigate the complexities of today's cyber threat environment effectively. By leveraging SOCRadar, organizations can not only respond more efficiently to immediate threats but also adopt a more strategic approach to cybersecurity, ultimately enhancing their overall security posture and resilience against sophisticated cyber attacks.
| File Name | Description | Actions |
|---|
| APT Name | Aliases | Target Countries | Source Countries | Total IOCs |
|---|
More on the recent Snowflake breach, MFA bypass techniques and more.
United States water facilities, which include 150,000 public water systems, have become an increasingly high-risk target for cyber criminals in recent years. This rising threat has demanded more attention and policies focused on improving cybersecurity. Water and wastewater systems are one of the 16 critical infrastructures in the U.S. The definition for inclusion in this […]
The post Water facilities warned to improve cybersecurity appeared first on Security Intelligence.
The rise in online shopping brings more than just the ease of overnight shipping and competitive pricing – it also gives hackers more opportunities to take advantage of financial and personal information. According to Veriff, there was a 40% increase in identity fraud in 2023 compared to 2022. Payment industries also saw a 54% increase […]
The post A New Age of Threats in Online Shopping: Cybersecurity Tips appeared first on Cybersecurity Insiders.
Exploring the hidden parts of the internet with just your phone might feel like something out of a spy movie, but it's totally doable. Think of the Dark Web as more than a hotspot for hackers or shady deals — it's actually a goldmine for anyone seeking stringent privacy and some seriously interesting, under-the-radar info....
Threat actors leverage meeting software applications and tools to penetrate weak security loopholes, infiltrate secure settings and organizations, steal highly confidential information, and restrict organizational functions. Recorded Future’s Insikt group has recently unveiled a long-term campaign aimed at macOS cryptocurrency users, conducted by the “markopolo” threat actor. The alleged virtual meeting software is Vortax, a […]
The post Hackers Weaponizing Vortax Meeting Software To Attack macOS Users appeared first on Cyber Security News.
Attack Flow The Attack Flow project helps defenders move from tracking individual adversary behaviors to tracking the sequences of behaviors that adversaries employ to move towards their goals. By looking at combinations of behaviors,...
The post Attack Flow: Illuminating the Anatomy of Cyber Threats appeared first on Penetration Testing Tools.
Discover how RansomHub's ransomware-as-a-service targets Windows, Linux, and ESXi systems.
Data loss prevention (DLP) is no longer a luxury; it is a necessary security approach for businesses of all sizes. IBM in one of their studies revealed that the average cost of a data breach in 2023 was a whopping $4.35 million, underlining the enormous financial risk connected with data loss. This blog post delves […]
The post How to Prevent Data Loss? Tips & Strategies appeared first on Fidelis Security.
Researchers analyzed six malware families that are using the protectors Themida and VMProtect. None of the samples used code virtualization, significantly simplifying the analysis, as only one sample had anti-debugging enabled. The malware code itself was largely unprotected, except for the initial stages of compression and decryption. While almost all samples had encrypted/obfuscated strings, only […]
The post How Difficult is Analyzing Malware Shielded by Themida and VMProtect – SOC/DFIR Guide appeared first on Cyber Security News.
An organization’s SOC (Security Operations Center) monitors and analyzes network, system, and data security. The SOC tools detect, investigate, and respond to cybersecurity risks and incidents. Security analysts, incident responders, and engineers monitor the organization’s networks and systems for security breaches using IDPS, SIEM, and threat intelligence platforms. The SOC team coordinates incident response and […]
The post Top 10 Best SOC Tools In 2024 appeared first on Cyber Security News.
Microsoft Defender Experts for XDR delivered excellent results during round 2 of the MITRE Engenuity ATT&CK® Evaluations for Managed Services menuPass + ALPHV BlackCat.
The post Microsoft Defender Experts for XDR recognized in the latest MITRE Engenuity ATT&CK® Evaluation for Managed Services appeared first on Microsoft Security Blog.
