REPORT - DIVD-2022-00004 - Post-Log4j

REPORT - DIVD-2022-00004 - Post-Log4j

2022-08-04 00:00:00 +0200 by Gerard Janssen

Case lead: Max van der Horst
CSIRT:
Researchers: Ralph Horn , Wietse Boonstra , ,

During the Log4J crisis, DIVD researcher Max van der Horst noted that Redis instances were used to exploit the Log4J vulnerability. Redis is an open-source, in-memory data store used by millions of users as a database, cache, streaming engine, and message broker.

It was discovered that Redis (Remote Dictionary Server), is prone to a (Debian-specific) Lua sandbox escape, which can result in remote code execution. The vulnerability (CVE 2022-0543) was exploited by members of TeamTN, a threat group that has primarily targeted cloud and containerized environments. The group has been active since at least October 2019 and has mainly focused on deploying cryptocurrency miners in victim environments, in this case, running Redis.

‘Noteworthy is that it was specifically about Redis instances that did not have authentication enabled’, says van der Horst, ‘this was due to a configuration error, resulting in the database being open to the outside without authentication.’

In this campaign, attackers used the vulnerable Redis instances to control the infected servers, forming a botnet. The first attack was discovered on Sunday, December 13th, and multiple thousands of servers still seem to be used for this purpose, and of these servers, thousands are mining Monero for Team TNT.

In total 9645 IP addresses were notified. On April 18th there were still 5845 instances vulnerable, they were notified again in a second run.

Timeline

13 Dec 2021 Team TNT Log4J payload found in IPS logging.

12 Jan 2022 Redis instances found used for C2.

13 Jan 2022 Case Opened

13 Jan 2022 DIVD starts scanning for Redis instances.

15 Jan 2022 DIVD created a first list of servers used for C2.

16 Jan 2022 DIVD took notice of present data leaks on victim servers.

25 Jan 2022 DIVD starts first round of notifications.

16 Feb 2022 DIVD notified 9.354 server owners of malicious activity internationally.

18 Feb 2022 Dutch Security Information Clearinghouse notifies 291 server owners within the Netherlands.

18 Apr 2022 DIVD initiates a second round of notifications to unpatched parties.

25 May 2022 Case closed.