Skip to main content

RedisWannaMine Cryptomining Worm

A new cryptocurrency mining worm has been observed targeting servers using the Redis data structure store. Named RedisWannaMine, it also uses the EternalBlue SMB exploit to propagate.
Threat ID:
CC-2137
Category:
Cryptocurrency, Worm
Threat Severity:
Medium
Threat Vector:
Exploit
Published:
15 March 2018 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new cryptocurrency mining worm has been observed targeting servers using the Redis data structure store. Named RedisWannaMine, it also uses the EternalBlue SMB exploit to propagate.

Threat details

Initial delivery involves exploiting an Apache Struts remote code execution vulnerability, CVE-2017-9805, to install a dropper. This dropper then attempts to gain persistence using new crontab entries as well as remote access using a new SSH key and iptables entries. It will then download RedisWannaMine.

RedisWannaMine uses numerous Linux packages, either downloaded from Github or contained within the initial download. The cryptomining module is first run, before a secondary module begins scanning port 6379 (the default Redis listening port) using a large list of internal and external IP addresses. When this module discovers an open port it will execute another process to infect the new server. Once the Redis scan is completed a secondary scan is initiated to scan port 445 (the default SMB listening port) using the same IP list, again infecting new servers if open ports are found.

Threat updates

Date Update
6 Jun 2018

A new report by Imperva indicates that 75% of all open Redis servers have been infected with RedisWannaMine.

Remediation steps

Type Step
  • The initial attack vector exploits a vulnerability in unpatched web applications. Web applications running on potentially vulnerable servers should be updated immediately.
  • If not in use ports 445 and 6379 should be closed
  • If possible ensure that Redis servers are not exposed to the internet.
  • Ensure your AV software is kept updated with the very latest security definitions

CVE Vulnerabilities

Status

CVE-2017-9805

Last edited: 17 February 2020 12:53 pm