{ "type": "URL", "indicator": "https://195.123.220.193/run6/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://195.123.220.193/run6/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2239738175, "indicator": "https://195.123.220.193/run6/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "5ea068474577163bf614eb39", "name": "Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining", "description": "Recently, we wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this article, we expound on how these instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild. These malicious files have been found to turn Redis instances into cryptocurrency-mining bots and have been discovered to infect other vulnerable instances via their \u201cwormlike\u201d spreading capability.", "modified": "2020-04-22T15:52:39.890000", "created": "2020-04-22T15:52:39.890000", "tags": [ "redis", "kinsing", "miner", "elasticsearch", "xmrig", "golang", "linux", "crypto mining" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 15, "FileHash-SHA1": 11, "FileHash-MD5": 11, "URL": 14, "domain": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386769, "modified_text": "2231 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 53 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/195.123.220.193", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "5ea068474577163bf614eb39", "name": "Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining", "description": "Recently, we wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this article, we expound on how these instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild. These malicious files have been found to turn Redis instances into cryptocurrency-mining bots and have been discovered to infect other vulnerable instances via their \u201cwormlike\u201d spreading capability.", "modified": "2020-04-22T15:52:39.890000", "created": "2020-04-22T15:52:39.890000", "tags": [ "redis", "kinsing", "miner", "elasticsearch", "xmrig", "golang", "linux", "crypto mining" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 15, "FileHash-SHA1": 11, "FileHash-MD5": 11, "URL": 14, "domain": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386769, "modified_text": "2231 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://195.123.220.193/run6/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://195.123.220.193/run6/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780347452.5120385 }