Hello, welcome to the Monday, May 21st, 2018 edition of the Santernut Storm Center's Stormcast. My name is

Johannes Ulrich, and today I'm recording from Reston, Virginia. Ramco Verhoof, the latest

addition to our handler team, came across an interesting new attack against Redis server.

Now the ultimate vulnerability being exploited here isn't new and has been exploited in the past.

It's well a very simple remote code execution vulnerability which actually is a feature in Redis.

Redis by design has the ability to write arbitrary files without requesting

authentication. After all, Redis is really not supposed to run exposed to the internet. Now in this

particular case and that's also typical for this kind of exploit against Redis, the attacker

is creating a wrong job that then executes the actual malicious code.

In this case, just downloads a Bash script and then executes it.

In this particular case, the Bash script is actually quite complex.

It lowers a number of different security settings.

Don't necessarily want to go over

all of them, changes name servers, and, well, for good measure, finally then launches a crypto

coin miner. Effected systems will also then start scanning for additional exposed Redis

servers. And Google announced that it will remove the secure indicator from HDPS

pages. Now, this may sound odd when you look at it initially, but really makes sense in

the way that Google is now suggesting that HDPS should be the default. So what will happen first is that instead

of seeing the lock sample and the word secure starting in September, you will only see

the lock simple for HTTP websites and later even the lock will be removed. Now what

Google will move to instead is that not secure

pages will be labeled as not secure, in particular if you're entering data into these pages,

...