Malware Activity

Redis Servers Targeted by New 'Migo' Cryptojacking Malware

Security analysts at cloud forensics provider Cado Security have discovered a new malware campaign dubbed "Migo" which targets Redis servers for the purpose of exploiting underlying Linux hosts for cryptomining. Analysts at Cado discovered the Migo campaign actively attempting to exploit their Redis honeypot servers. Redis – or Remote Dictionary Server – is a high-performance in-memory data structure store that can be used as a database, cache, or message broker. Redis is a prime target for cryptomining exploits due to its ability to perform thousands of requests per second for real-time applications. According to Cado's analysis, the Migo payload's primary function is to install and execute a modified cryptominer from Github's content delivery network (CDN). Prior to delivering the Migo payload, the attacker disables critical security features on the Redis server to enable external access, to allow writing to replicas, and to create a heavier IO load. Once the Redis server's shields are weakened, the Migo payload is delivered via a cron job that downloads the script from Pastebin. The Migo malware employs a user-mode rootkit to hide its processes and files to evade detection. The Migo malware establishes persistence and ensures continuous mining for the malicious miner through the creation of a systemd service and timer. Although cryptojacking attacks can be less disruptive to organizations than other forms of cyberattacks, CTIX analysts recommend that organizations leveraging Redis include Migo indicators of compromise (IOCs) with their threat hunting activities, particularly as the malware can open doors to much more nefarious outcomes. CTIX analysts will continue to report on novel and interesting new strains of malware.

Threat Actor Activity

LockBit RaaS Operation Vitally Disrupted by Internationally Coordinated Law Enforcement Efforts

An international law enforcement operation proved successful once again in combating global cybercrime, this time disrupting the LockBit ransomware gang's operations and successfully seizing their website. The joint operation was conducted by law enforcement agencies from ten (10) countries, including the UK's National Crime Agency, the FBI, Europol, and several other international police agencies. "Operation Cronos," as it's being called, is an ongoing and developing operation against LockBit, one of the most prolific ransomware groups in the world. LockBit's data leak site currently displays a banner that reads: "this site is now under the control of The National Crime Agency of the UK, Working in close cooperation with the FBI and the international law enforcement task force." The LockBit ransomware-as-a-Service (RaaS) operation first appeared in late 2019 and has significantly outpaced activity of comparable groups since their emergence. Having been attributed to upwards of 2,300 attacks resulting in $120 million in ransom payments, the group sits at 1,400 more attacks than the next most active group, Conti. The group is estimated to have extorted at least $91 million from US organizations alone since the beginning of 2020 and has a prominent list of international victims including Boeing, the UK Royal Mail, the Continental automotive giant, and the Italian Internal Revenue Service. But beyond all else, their biggest reputation might come from their willingness to target organizations like hospitals and healthcare entities. Law enforcement has also claimed to have seized LockBit source code, chats, and victim information. Additionally, they seized 200 crypto-wallets, retrieved over 1,000 decryption keys to create a decryption tool and recover encrypted files, and arrested two (2) LockBit operators in Poland and Ukraine. Furthermore, as part of Operation Cronos, law enforcement was able to take down thirty-four (34) servers in the Netherlands, Germany, Finland, France, Switzerland, Austria, the US, and the UK, as well as obtain control of over 14,000 rogue accounts that were used by LockBit members to host tools and software used in attacks and to store data stolen from compromised entities. The US State Department is offering rewards via the Transitional Organized Crime Rewards Program - up to $10 million for information pertaining to LockBit leadership and an additional $5 million for that of anyone involved in LockBit ransomware attacks.

Vulnerabilities

Critical ScreenConnect Vulnerabilities Under Active Exploitation

ConnectWise disclosed two (2) critical vulnerabilities in ScreenConnect, its remote desktop software, which have been actively exploited by attackers. The vulnerabilities, tracked as CVE-2024-1708 (an authentication bypass) and CVE-2024-1709 (a path traversal flaw), affect servers running ScreenConnect version 23.9.7 and earlier. The authentication bypass flaw allows attackers to create new administrator accounts via the setup wizard, while the path traversal flaw can be exploited to access or modify sensitive files outside of restricted directories. In response, ConnectWise has urged administrators to update their on-premise servers while cloud instances have already been secured. Multiple ScreenConnect accounts have been compromised following the disclosure. Cybersecurity researchers from Huntress highlighted the ease of developing exploits for these vulnerabilities, noting that over 8,800 vulnerable servers were initially found exposed online, a number which later decreased to about 3,800. The vulnerabilities were quickly exploited by threat actors, prompting Huntress to release a detailed analysis to encourage quicker remediation efforts. Huntress has also shared indicators of compromise (linked below) and detection guidance to assist administrators in protecting against these exploits. CTIX analysts urge all administrators using ScreenConnect to ensure that they are running the patched software to prevent exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.