Threat actors have targeted tens of thousands of unauthenticated Redis servers exposed across the internet as part of a cryptocurrency campaign.
Redis is a popular open-source data structure tool that can be used as an in-memory distributed database, message broker, or cache. The tool is not designed to be exposed on the internet, however, researchers have spotted tens of thousands of publicly accessible Redis instances without authentication.
Researcher Victor Zhu has detailed a Redis unauthorized access vulnerability that could be exploited to compromise Redis instances exposed online.
“Under certain conditions, if Redis is running with the root account (or even not), attackers can write an SSH public key file to the root account, connecting directly to the victim server via SSH. This can allow hackers to gain server privileges, delete or steal data, or even lead to encryption extortion, seriously endangering normal business services. reads the post posted by Zhu on September 11, 2022.
Now Censys researchers are warning of tens of thousands of unauthenticated Redis servers exposed on the internet being attacked.
Hackers target these instances to install a cryptocurrency miner.
“There are 39,405 unauthenticated Redis services out of 350,675 total Redis services on the public internet.” warns Censys. “Nearly 50% of unauthenticated Redis services on the Internet show signs of a tent compromise.”
“The general idea behind this exploit technique is to configure Redis to write its file-based database to a directory containing a method to authorize a user (like adding a key to ‘.ssh/authorized_keys’), or start a process (like adding a script for ‘/etc/cron.d’),” Censys adds.
Experts have found evidence that demonstrates the ongoing hacking campaign, threat actors attempted to store malicious crontab entries in the “/var/spool/cron/root” file using multiple Redis keys prefixed with the string “backup”. The crontab entries allowed attackers to run a shell script hosted on a remote server.
The shell script was designed to perform the following malicious actions:
- Stops and disables any running security-related process
- Stops and disables all running system watcher processes
- Deletes and purges all system and security related log files, including shell histories (e.g. .bash_history).
- Adds a new SSH key to the root user’s authorized_keys file
- Disable iptables firewall
- Installs several hacking and scanning tools such as “masscan”
- Installs and runs the XMRig cryptocurrency mining application
The researchers used a recent list of unauthenticated Redis services running on TCP port 6379 to run a one-time scan that checked for the existence of the “backup1” key on each host. Censys discovered that of the 31,239 unauthenticated Redis servers in this list, 15,526 hosts had this set of keys. These instances have been targeted by threat actors with the technique described above.
Most Redis servers exposed to the Internet are located in China (15.29%), followed by Germany (14.11%) and Singapore (12.43%).
“Still, that doesn’t mean there are more than 15,000 compromised hosts. It is unlikely that the conditions necessary for this vulnerability to succeed are met for each of these hosts. The main reason many of these attempts will fail is that the Redis service must be run as a user with the appropriate permissions to write to the “/var/spool/cron” directory (i.e. root )”. the report concludes. “Although this may be the case when running Redis in a container (like docker), where the process may see itself running as root and allowing the attacker to d write these files. But in this case, only the container is affected, not the physical host.
The report also includes a list of mitigations for these attacks.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, mining)
#Unauthenticated #Internet #Redis #Services #Targeted #Cryptocurrency #Campaign