In a blog post, researchers from Aqua Nautilus detail their findings about malware called HeadCrab that has infected more than 1,200 Redis database servers in the past year-and-a-half. The threat actor has been using their access to the servers to mine virtual currency.
- Optimized databases like Redis are sometimes “protected” by the limited functionality they offer. However, here the attacker figured out that they are able to upload extension modules to the database adding the missing functionality. I have seen similar attacks against MySQL before.
- I can’t imagine a newscaster saying HeadCrab malware with a straight face. HeadCrab is a monster from the game HalfLife, which attaches itself to humans and turns them into zombies. This malware takes advantage of trust relationships, such as SLAVEOF, between Redis servers to load and transfer modules which add C&C commands to the targeted server. Make sure you’ve secured your Redis installations; don’t expose them directly to the Internet, enable protected mode for cloud installations, bind the instance to a specific address to limit communication to trusted hosts and disable the slaveof feature if not actively used.
- Hmm, maybe a new trend: naming malware after disgusting body conditions that you want to rid yourself of very quickly. Would WannaCry have been dealt with more quickly if it had been called HeadLice?
Read more in