Threat Management, Threat Management, Malware

RedisWannaMine cryptojacking attack exploits EternalBlue vulnerability and public Redis servers

A newly discovered and unusually sophisticated cryptojacking attack attempts to install cryptominers on both database and application servers by targeting misconfigured Redis servers, as well as Windows servers that are susceptible to the EternalBlue NSA exploit.

Researchers with Imperva uncovered the threat when its web application sensors detected signs of a remote code execution attack exploiting an Apache Struts vulnerability. Dubbing the attack "RedisWannaMine," Imperva warns in a Mar. 8 blog post that compared to most cryptojacking threats, this one is "more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers' infection rate and fatten their wallets."

After probing the remote host associated with the attack, Imperva's researchers found several suspicious files, including "transfer.sh," a cryptominer downloader. Upon successful infection, this shell script file installs a publicly available tool called "masscan" that is billed on GitHub as an Internet port scanner that can sweep the entire internet in five minutes.

Armed with the masscan tool, transfer.sh can now launch a process called "redisscan.sh" to discover and infect public Redis servers included within a large list of IPs, via port 6379. (Redis describes itself as an "open source, in-memory data structure store, used as a database, cache and message broker.") using redis-cli command line tool, that the downloader previously installed, that runs the “runcmd” payload command script, which infects the server and gains persistence.

But this is just the first of two attack vectors. Next, the script runs another scan process called “ebscan.sh” that again uses the masscan tool to discover, via port 445, publicly available Windows servers with the Server Message Block (SMB) vulnerability CVE-2017-0144. It then exploits this vulnerability with a Python implementation of EternalBlue -- the exploit that was prominently used to spread WannaCry ransomware.

This process drops the file “x64.bin," which contains code to create a malicious VBScript file, which in turn downloads an executable from an external location. Imperva describes the executable as a "well-known cryptominer malware," but does not specify which one it is.

To guard against this threat, Imperva recommends that users patch their web applications and databases, properly and configure their Redis servers, and ensure that machines aren't running the vulnerable SMB protocol.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.