RedisRaider Cryptojacking Campaign Exploits Public Redis Servers; Legacy Auth Flaws Target Entra ID

Cybersecurity experts have uncovered a new Linux-based cryptojacking operation dubbed RedisRaider, which specifically targets publicly exposed Redis servers, according to research from Datadog Security Labs.

The attackers employ a custom-built scanner that sweeps through random portions of the IPv4 space to locate vulnerable Redis instances. Once a target is identified, the malware uses legitimate Redis commands to insert a malicious cron job—a method that enables repeated execution of a hidden Base64-encoded shell script.

Upon identifying Redis servers running on Linux, the attack abuses the SET and CONFIG commands to shift the working directory to /etc/cron.d and plants a file named "apache", which cron automatically executes. This triggers the download of the RedisRaider payload, a Go-based dropper that installs a customized version of XMRig, a cryptocurrency miner.

Notably, RedisRaider also spreads laterally to infect more Redis servers, significantly amplifying the campaign's reach. Additionally, its infrastructure hosts a browser-based Monero miner, further diversifying its profit streams.

Researchers Matt Muir and Frederic Baguelin emphasized the campaign’s anti-forensics tactics, such as manipulating short key TTLs and obscuring configuration changes, to evade detection and hinder forensic analysis.

Meanwhile, Guardz Security has detailed a separate identity-focused attack campaign exploiting legacy authentication protocols in Microsoft Entra ID. Between March 18 and April 7, 2025, attackers leveraged the BAV2ROPC protocol—short for Basic Authentication Version 2 – Resource Owner Password Credential—to bypass modern security measures like multi-factor authentication (MFA) and Conditional Access.

The attackers, primarily from Eastern Europe and the Asia-Pacific, launched automated brute-force attacks, heavily targeting admin accounts. While standard users faced over 50,000 login attempts, privileged accounts saw nearly 10,000 attempts from 432 unique IPs in just 8 hours—averaging 22.79 attempts per IP and peaking at a rate of 1,230 login attempts per hour.

These patterns point to a highly automated and precision-focused campaign aimed at seizing control of privileged accounts while maintaining broader pressure on regular user accounts.

This campaign echoes similar abuse of legacy protocols observed in past incidents—such as the 2021 BEC attacks Microsoft documented, which also involved BAV2ROPC and IMAP/POP3.

Security recommendations include:

• Blocking legacy authentication using Conditional Access policies

• Disabling BAV2ROPC where not required

• Turning off SMTP AUTH in Exchange Online when unused

Together, these campaigns illustrate how both server misconfigurations and outdated identity protocols continue to be exploited for financial and intelligence-gathering purposes, underscoring the importance of proactive configuration and identity hygiene.