Ethical Hacking News
A new malware campaign has been identified that exploits publicly accessible Redis servers to deploy XMRig miners on Linux hosts via Redis configuration abuse. The attack mechanism involves using a bespoke scanner to identify vulnerable Redis servers and then exploiting them to inject malicious cron jobs. This campaign is not only targeting Linux hosts but also expanding its reach and scale. To mitigate such risks, it is advised to block legacy authentication via Conditional Access policy, disable BAV2ROPC, and turn off SMTP AUTH in Exchange Online if not in use. Regular users received the bulk of authentication attempts (50,214), while admin accounts and shared mailboxes were targeted at a specific pattern.
Malicious actors have discovered a new method using Go-based malware to target publicly accessible Redis servers. The attack mechanism involves exploiting vulnerable Redis servers with bespoke scanners and injecting malicious cron jobs to deploy XMRig miners. The malware's infrastructure also hosts a web-based Monero miner, enabling attackers to generate revenue through multiple channels. Legacy protocols such as BAV2ROPC and IMAP/POP3 are being abused for malicious activities, including brute-forcing accounts with Microsoft Entra ID. It is essential to implement robust security measures, including blocking legacy authentication via Conditional Access policy and disabling BAV2ROPC.
The world of cybersecurity has witnessed numerous exploits and attacks over the years, but a recent discovery has shed light on a new and innovative method used by malicious actors. According to a report from Datadog Security Labs, a Go-based malware campaign has been identified that targets publicly accessible Redis servers across the internet. The goal of this campaign is not only to deploy XMRig miners on compromised Linux hosts but also to expand its reach and scale.
The attack mechanism involves using a bespoke scanner to identify vulnerable Redis servers, which are then exploited to inject malicious cron jobs. These cron jobs execute a Base64-encoded shell script that downloads the RedisRaider binary from a remote server. The payload serves as a dropper for a bespoke version of XMRig, allowing the attackers to unleash an XMRig miner on compromised systems.
The malware's infrastructure also hosted a web-based Monero miner, enabling the attackers to generate revenue through multiple channels. This is not the first time that legacy protocols have been abused for malicious activities; in 2021, Microsoft divulged a large-scale business email compromise (BEC) campaign that used BAV2ROPC and IMAP/POP3 to circumvent MFA and exfiltrate email data.
To mitigate such risks, it is advised to block legacy authentication via Conditional Access policy, disable BAV2ROPC, and turn off SMTP AUTH in Exchange Online if not in use. Furthermore, cybersecurity experts recommend implementing robust security measures to protect against such attacks.
Another recent attack campaign has been identified by Guardz that exploits legacy authentication protocols in Microsoft Entra ID to brute-force accounts. The activity, observed between March 18 and April 7, 2025, leverages BAV2ROPC to bypass defenses like multi-factor authentication (MFA) and Conditional Access.
The tracking and investigation revealed systematic exploitation attempts that took advantage of the inherent design limitations of BAV2ROPC, which predated contemporary security architectures. The threat actors behind this campaign demonstrated a deep understanding of identity systems, primarily targeting admin accounts using legacy authentication endpoints.
Regular users received the bulk of authentication attempts (50,214), while admin accounts and shared mailboxes were targeted at a specific pattern. Admin accounts received 9,847 attempts across 432 IPs over 8 hours, suggesting an average of 22.79 attempts per IP and a velocity of 1,230.87 attempts per hour.
The attacks originated mainly from Eastern Europe and the Asia-Pacific regions, which highlights the global nature of cybersecurity threats. It is essential for organizations to stay vigilant and implement robust security measures to protect against such attacks.
To combat these types of threats, it is crucial to employ a layered approach that includes endpoint security solutions, intrusion detection systems, and advanced threat protection tools. Additionally, cybersecurity professionals should remain up-to-date with the latest vulnerabilities and exploit techniques to enhance their defense strategies.
In conclusion, the recent RedisRaider campaign highlights the importance of staying vigilant in today's cybersecurity landscape. By understanding the tactics, techniques, and procedures (TTPs) used by malicious actors, organizations can implement effective countermeasures to protect against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Malware-Campaign-Exploits-Redis-Servers-to-Deploy-XMRig-Miner-on-Linux-Hosts-via-Redis-Configuration-Abuse-ehn.shtml
https://thehackernews.com/2025/05/go-based-malware-deploys-xmrig-miner-on.html
Published: Tue May 20 06:09:16 2025 by llama3.2 3B Q4_K_M
