Muhstik botnet targeting Redis servers using a recently revealed vulnerability in the database system

The Muhstik Botnet

Attacks on Redis servers performed by Muhstik, a well-known botnet that propagates by exploiting web application vulnerabilities, have been observed by security researchers.

Muhstik Botnet

The CVE-2022-0543 vulnerability

The servers of Redis have been under attack thanks to a recently disclosed vulnerability in the database system. As per the information that is available, an open-source, in-memory key-value data store has been found to contain a Lua sandbox escape flaw tracked as (CVE-2022-0543) that could be exploited for remote code execution on the vulnerable machine. The severity of this vulnerability has been assigned a score of ten out of ten, which is the maximum severity of the scale.

In an advisory released by Ubuntu last month, the company stated that a remote attacker with arbitrary Lua scripting ability could potentially escape the Lua sandbox and execute arbitrary code on the host.

It has been reported that the new flaw was exploited on March 11, 2022, leading to a malicious shell script (russia.sh) being downloaded from a remote server, which was then used to download and execute the botnet binaries from a different server.

Coin mining and distributed denial-of-service (DDoS) attacks have been monetized by Muhstik since March 2018, according to the Chinese security firm Netlab 360.

Over the years, Muhstik has been seen exploiting a number of flaws in Linux and IoT devices like GPON home routers, DD-WRT routers and Tomato routers.

According to a report published last week by Juniper Threat Labs, this bot connects to an IRC server to receive commands that include downloading files, running shell commands, conducting flood attacks, and brute-forcing SSH credentials.

There have been reports of Muhstik malware since 2017, and security experts believe this threat is based on a fork of the Mirai code and has been spreading through web application exploits.

The botnet makes money using cryptomining and DDoS services. WordPress, Drupal, WebDAV, Oracle’s WebLogic application server and a variety of Internet of Things (IoT) and Small Office/Home Office (SOHO) devices are among the web applications it targets.

To avoid being exploited, users should update their Redis services to the most recent version as soon as possible.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment