Redis server wrote suspicious module file

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1129-shared-modules

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

A potentially malicious Redis module has been saved.

Strategy

One of the primary methods for compromising vulnerable Redis deployments is to use the SLAVEOF command (now renamed to REPLICAOF) to modify the replication settings of a Redis instance to join it to an attacker controlled Redis cluster. From there, the attacker will push a malicious Redis module to the compromised Redis node using the Redis cluster replication capabilities. This is used to achieve command execution on the compromised Redis instance.

Triage and response

  1. Determine if the Redis module is authorized on the host.
  2. If the activity is not authorized, verify if the instance has been joined to an attacker controlled cluster by running the CLUSTER INFO command.
  3. If the instance has been compromised, initiate incident response procedures.

Requires Agent version 7.27 or greater