RedisWannaMine cryptojacking attack exploits EternalBlue vulnerability and public Redis servers

[LASER_oneXM]

A newly discovered and unusually sophisticated cryptojacking attack attempts to install cryptominers on both database and application servers by targeting misconfigured Redis servers, as well as Windows servers that are susceptible to the EternalBlue NSA exploit.

Researchers with Imperva uncovered the threat when its web application sensors detected signs of a remote code execution attack exploiting an Apache Struts vulnerability. Dubbing the attack "RedisWannaMine," Imperva warns in a Mar. 8 blog post that compared to most cryptojacking threats, this one is "more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers' infection rate and fatten their wallets."

After probing the remote host associated with the attack, Imperva's researchers found several suspicious files, including "transfer.sh," a cryptominer downloader. Upon successful infection, this shell script file installs a publicly available tool called "masscan" that is billed on GitHub as an Internet port scanner that can sweep the entire internet in five minutes.

This process drops the file “x64.bin," which contains code to create a malicious VBScript file, which in turn downloads an executable from an external location. Imperva describes the executable as a "well-known cryptominer malware," but does not specify which one it is.

To guard against this threat, Imperva recommends that users patch their web applications and databases, properly and configure their Redis servers, and ensure that machines aren't running the vulnerable SMB protocol.