The Muhstik botnet infamous for spreading via web application exploits, has been spotted targeting and exploiting a Lua sandbox escape flaw (CVE-2022-0543) in Redis severs after a proof-of-concept exploit was publicly released.
Lua sandbox escape flaw was uncovered in the open-source, in-memory, key-value data store in February 2022 and could be exploited to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 on the severity scale.
"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu explained in an advisory released last month.
The attacks exploiting the new flaw started on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and implement the botnet binaries from another server, Juniper Threat Lab researchers explained.
According to Chinese security firm Netlab 360, the Muhstik botnet is known to be active since March 2018 and is monetized for performing coin mining activities and staging distributed denial-of-service (DDoS) attacks.
The botnet propagates by exploiting home routers, but researchers noticed multiple attempted exploits for Linux server propagation. The list of compromised routers includes GPON home router, DD-WRT router, and the Tomato router. The vulnerabilities exploited by Muhstik over the years are as follows –
• CVE-2017-10271 (CVSS score: 7.5) – An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware
• CVE-2018-7600 (CVSS score: 9.8) – Drupal remote code execution vulnerability
• CVE-2019-2725 (CVSS score: 9.8) – Oracle WebLogic Server remote code execution vulnerability
• CVE-2021-26084 (CVSS score: 9.8) – An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and
• CVE-2021-44228 (CVSS score: 10.0) – Apache Log4j remote code execution vulnerability (aka Log4Shell)
"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force," Juniper Threat Labs researchers said in a report published last week. In light of active exploitation of the critical security loophole, users are strictly advised to act quickly to patch their Redis services to the latest version.