NSA headquarters 700px
NSA headquarters 700px
Security researchers have revealed an extremely complex cryptojacking attack dubbed RedisWannaMine, which is powered by Redis and NSA exploits and aimed at both database servers and application servers.

According to a blog post, the attack is a new generation cryptojacking attack, which demonstrates worm-like behaviour combined with advanced exploits to increase the attackers' infection rate and fatten their wallets. 

The attackers are targeting machines using the NSA's EternalBlue SMB exploit, as well as the Redis cache server.  

Researchers found the malware when it probed a remote server and found a list of suspicious files. The list includes known malicious files, like minerd,but also some unknown suspicious files like transfer.sh.

They said that one shell script file it found was a downloader that is similar in some ways to older cryptojacking downloaders. This file downloads a crypto miner malware from an external location, gains persistency in the machine through new entries in crontab, and gains remote access to the machine through a new ssh key entry in /root/.ssh/authorized_keys and new entries in the system's iptables

According to the researchers, the script installs a lot of packages using Linux standard package managers like apt and yum. “This is probably to make sure it is self-sufficient and does not need to depend on local libraries in the victim's machine,” they said.

It also downloads a publicly available tool, named masscan, from a Github repository, then compiles and installs it. The script then launches another process named “redisscan.sh”. The new process uses the masscantool mentioned above to discover and infect publicly available Redis servers.

After the script completed the Redis scan, it launches another scan process named “ebscan.sh”. This time the new process uses the masscan tool to discover and infect publicly available Windows servers with the vulnerable SMB version.

“In case you've been living under a rock, the SMB vulnerability this script is scanning for, was used by the NSA to create the infamous “Eternal Blue” exploit. This exploit was later on adapted to carry out “WannaCry”, one the biggest cyber-attacks in the world,” said researchers.

Researchers said that organisations should protect web applications and databases. “The initial attack vector was introduced through a web application vulnerability. A properly patched application or an application protected by a WAF should be safe,” said Nadav Avital, technical application security research analyst at Imperva Defence Centre.

Joseph Carson, chief security scientist at Thycotic, told SC Media UK that without a doubt we will see more cyber-attacks using Redis and NSA exploits as many organisations around the world continue to struggle with Patch Management. “Any systems with unpatched exploits of known vulnerabilities will always continue to be used by cyber-criminals.”

“Applying an approach of least privilege and privileged access management will reduce the ability for such exploits to easily move and infect systems on the network, meaning that even if a cyber-attack is successful, the impact to the organisation can be kept isolated,” he said.

Jon Topper, CTO of The Scale Factory, told SC Media UK that attackers  don't discriminate: they'll use any exploit that gets them into a remote system.” If there are a number of Redis and SMB servers in the wild that are publicly accessible and unpatched, then they risk being used as an attack vector,” he said.

“Organisations can mitigate attacks by putting better network access controls in place - neither Redis nor SMB servers should typically be internet-facing for the majority of use cases. In a corporate environment you might have SMB servers accessible to user workstations, and so a compromised workstation might be used as a vector to gain access to an SMB server. If you're running server software, it needs to be kept patched and up to date. No ifs, buts or excuses.”