Full Report
[Update: Disclosure and other points discussed in a little more detail here.] Why memcached? At BlackHat USA last year we spoke about attacking cloud systems, while the thinking was broadly applicable, we focused on specific providers (overview). This year, we continued in the same vein except we focused on a particular piece of software used in numerous large-scale application including many cloud services. In the realm of “software that enables cloud services”, there appears to be a handful of “go to” applications that are consistently re-used, and it’s curious that a security practitioner’s perspective has not as yet been applied to them (disclaimer: I’m not aware of parallel work).
Analysis Summary
# Tool/Technique: go-derper
## Overview
`go-derper` is a custom tool designed for interacting with and exploiting **memcached** instances. Its primary purpose is to aid security practitioners in fingerprinting, extracting data from, and writing data back into memcached caches deployed in various large-scale and cloud applications.
## Technical Details
- Type: Tool (Proof-of-Concept/Security Tool)
- Platform: Target systems running memcached instances (implying Linux/Unix environments commonly hosting web services, but the tool itself requires a recent Ruby interpreter).
- Capabilities: Fingerprinting memcached statistics, extracting cache contents (key/value pairs), applying regular expressions during extraction, and overwriting existing cache entries.
- First Seen: Referenced in a BlackHat USA context around August 2010.
## MITRE ATT&CK Mapping
Since `go-derper` is an exploitation/information gathering tool targeting an infrastructure component (memcached), the relevant mappings focus on discovery and collection.
- **TA0007 - Discovery**
- T1046 - Network Service Scanning
- T1082 - System Information Discovery (Primarily via fingerprinting statistics)
- **TA0009 - Collection**
- T1005 - Data from Local System (If data persists on the cache server)
## Functionality
### Core Capabilities
- **Fingerprinting:** Connects to a memcached instance (default port 11211) to retrieve statistics (`stat` command output) such as memory usage, item counts, network statistics (total bytes read/written), and memcached version. This helps in assessing the potential value of the cache. Output can be human-readable or CSV for easier sorting.
- **Mining (Extraction):** Extracts key/value pairs from the cache using the `-l` switch. Values are saved to files in an output directory (e.g., `./*runN-*`), indexed separately to avoid using potentially malicious key names directly on the local filesystem.
- **Over-writing:** Allows an attacker to modify a locally saved cache entry and write the modified version back into the live memcached server using the index file information.
### Advanced Features
- **Regex Filtering during Mining:** Supports the use of a provided file containing custom regular expressions (`-R` switch). Matches found within extracted cache values are printed directly to the screen, allowing for targeted information searching (e.g., looking for URLs, session IDs, credentials starting with "user," "pass," or "auth").
- **Monitoring Mode:** The `-m` switch allows the tool to loop indefinitely, retrieving statistics and tracking differences between iterations to determine if the cache is actively being used.
## Indicators of Compromise
*Note: As this is a tool description, IoCs relate to the tool's execution rather than a specific malware infection.*
- File Hashes: Not provided in the text.
- File Names: `go-derper.rb` (the script itself).
- Registry Keys: Not applicable (Linux/Ruby based tool).
- Network Indicators: Connections to TCP port **11211** on target hosts, utilizing the memcached protocol commands (e.g., `stats`, `get`, `set`).
- Behavioral Indicators: Processes running Ruby scripts performing extensive network connections to port 11211, followed by localized file creation/modification corresponding to extracted cache data.
## Associated Threat Actors
The tool was developed and presented by SensePost researchers (Marco). It is described as a research/Proof-of-Concept tool, not inherently linked to a known threat actor group based solely on this article.
## Detection Methods
- Signature-based detection: Signatures could target the use of the network protocol commands associated with the tool's modes (e.g., scripted issuance of `stats`, `get`, or `delele`).
- Behavioral detection: Monitoring for non-standard Ruby execution initiating high volumes of connections to port 11211, especially correlating with local file system activity for data storage/retrieval.
- YARA rules: Not provided in the text.
## Mitigation Strategies
- Prevention measures: Deploy memcached instances only on private/internal networks inaccessible to the public internet.
- Hardening recommendations: Ensure memcached is not exposed externally. Implement strong authentication mechanisms if remote access is absolutely required (though memcached is traditionally unauthenticated). Regularly review cache contents if accessible by unauthorized parties.
## Related Tools/Techniques
- NSE scripts that hunt for open memcached instances (mentioned as the preliminary step before using `go-derper`).