Muhstik is a botnet that has been known to spread via exploits in web applications. It was discovered targeting Redis servers by using a newly disclosed vulnerability within the database system.
The vulnerability relates to CVE-2022-0543, a Lua sandbox escape flaw in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity.
“Due a packaging problem, remote attackers with the capability to execute arbitrary Lua commands could escape the Lua Sandbox and execute arbitrary codes on the host,” Ubuntu stated in an advisory last month.
According to telemetry data gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script (“russia.sh”) from a remote server, which is then utilized to fetch and execute the botnet binaries from another server.
First documented by Chinese security firm Netlab 360, Muhstik is known to be active since March 2018 and is monetized for carrying out coin mining activities and staging distributed denial-of-service (DDoS) attacks.
Capable of self-propagating on Linux and IoT devices like GPON home router, DD-WRT router, and Tomato routers, Muhstik has been spotted weaponizing a number of flaws over the years –
- CVE-2017-10271 (CVSS score: 7. 5) – An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware
- CVE-2018-7600 (CVSS score: 9. 8) – Drupal remote code execution vulnerability
- CVE-2019-2725 (CVSS score: 9. 8) – Oracle WebLogic Server remote code execution vulnerability
- CVE-2021-26084 (CVSS score: 9. 8) – An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and
- CVE-2021-44228 (CVSS score: 10.0) – Apache Log4j remote code execution vulnerability (aka Log4Shell)
“This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force,” Juniper Threat Labs researchers said in a report published last week.
Users are strongly advised to quickly patch Redis to fix the security hole.