Muhstik, a botnet known for spreading through web application exploits, has been seen attacking Redis servers with a freshly discovered vulnerability in the database system.
CVE-2022-0543 is a Lua sandbox escape flaw in the open-source, in-memory, key-value data store that might be exploited to get remote code execution on the underlying machine. The severity of the vulnerability is a ten out of ten.
“A remote attacker with the ability to execute arbitrary Lua scripts might conceivably escape the Lua sandbox and execute arbitrary code on the host due to a packaging vulnerability,” Ubuntu warned in a recent alert.
According to Juniper Threat Labs‘ telemetry data, the attacks using the new issue began on March 11, 2022, with the retrieval of a malicious shell script (“russia.sh”) from a remote site, which is then used to fetch and execute botnet binaries from another server.
Muhstik has been active since March 2018 and is monetized for carrying out coin mining activities and conducting distributed denial-of-service (DDoS) assaults, according to Chinese security firm Netlab 360.
Muhstik has been seen weaponizing a number of weaknesses over the years, and is capable of self-propagating on Linux and IoT devices such as GPON home routers, DD-WRT routers, and Tomato routers.
CVE-2017-10271 is a vulnerability that affects computers (CVSS score: 7.5) — An input validation vulnerability in Oracle Fusion Middleware’s WebLogic Server component CVE-2018-7600 (CVSS score: 9.8) — A remote code execution vulnerability has been discovered in Drupal.
CVE-2019-2725 is a vulnerability that affects computers (CVSS score: 9.8) — Remote code execution vulnerability in Oracle WebLogic Server
CVE-2021-26084 is a vulnerability that affects computers (CVSS score: 9.8) — Atlassian Confluence has an OGNL (Object-Graph Navigation Language) injection issue, as well as CVE-2021-44228 (CVSS score: 10.0) — Remote code execution vulnerability in Apache Log4j (aka Log4Shell)
“This bot connects to an IRC server to accept commands,” Juniper Threat Labs researchers wrote in a report released last week. “These commands include: download files, shell commands, flood attacks, [and] SSH brute force.”
Due to the active exploitation of the severe security weakness, users are strongly advised to update their Redis services to the most recent version as soon as possible.