Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system.
The vulnerability relates to CVE-2022-0543, a Lua sandbox escape flaw in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity.
“Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host,” Ubuntu noted in an advisory released last month.
According to telemetry data gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script (“russia.sh”) from a remote server, which is then utilized to fetch and execute the botnet binaries from another server.
First documented by Chinese security firm Netlab 360, Muhstik is known to be active since March 2018 and is monetized for carrying out coin mining activities and staging distributed denial-of-service (DDoS) attacks.
images from Hacker News