Threat actors targeted tens of thousands of unauthenticated Redis servers exposed on the internet as part of a cryptocurrency campaign.
Redis, is a popular open source data structure tool that can be used as an in-memory distributed database, message broker or cache. The tool is not designed to be exposed on the Internet, however, researchers spotted tens of thousands of Redis instances publicly accessible without authentication.
The researcher Victor Zhu detailed a Redis unauthorized access vulnerability that could be exploited to compromise Redis instances exposed online.
“Under certain conditions, if Redis runs with the root account (or not even), attackers can write an SSH public key file to the root account, directly logging on to the victim server through SSH. This may allow hackers to gain server privileges, delete or steal data, or even lead to an encryption extortion, critically endangering normal business services.” reads the post published by Zhu on September 11, 2022.
Now researchers from Censys are warning of tens of thousands of unauthenticated Redis servers exposed on the internet that are under attack.
Threat actors are targeting these instances to install a cryptocurrency miner.
“There are 39,405 unauthenticated Redis services out of 350,675 total Redis services on the public internet.” warns Censys. “Almost 50% of unauthenticated Redis services on the internet show signs of an attempted compromise.”
“The general idea behind this exploitation technique is to configure Redis to write its file-based database to a directory containing some method to authorize a user (like adding a key to ‘.ssh/authorized_keys’), or start a process (like adding a script to ‘/etc/cron.d’),” Censys adds.
The experts found evidence that demonstrates the ongoing hacking campaign, threat actors attempted to store malicious crontab entries into the file “/var/spool/cron/root” using several Redis keys prefixed with the string “backup.” The crontab entries allowed the attackers to execute a shell script hosted on a remote server.
The shell script was designed to perform the following malicious actions:
- Stops and disables any running security-related process
- Stops and disables any running system monitoring processes
- Removes and purges all system and security-related log files, including shell histories (eg, .bash_history).
- Adds a new SSH key to the root user’s authorized_keys file
- Disables the iptables firewall
- Installs several hacking and scanning tools such as “masscan”
- Installs and runs the cryptocurrency mining application XMRig
The researchers used a recent list of unauthenticated Redis services running on TCP port 6379 to run a one-time scan that looked for the existence of the key “backup1” on every host. Censys found that out of the 31,239 unauthenticated Redis servers in this list, 15,526 hosts had this key set. These instances were targeted by threat actors with the technique described above.
Most of the Internet-exposed Redis servers are located in China (15.29%) followed by Germany (14.11%), and Singapore (12.43%).
“Still, this does not mean that there are over 15k compromised hosts. It is improbable that the conditions needed for this vulnerability to be successful are in place for each one of these hosts. The primary reason many of these attempts will fail is that the Redis service needs to be running as a user with the proper permissions to write to the directory “/var/spool/cron” (ie, root).” concludes the report. “Although, this can be the case when running Redis inside a container (like docker), where the process might see itself running as root and allow the attacker to write these files. But in this case, only the container is affected, not the physical host.”
The report also includes a list of mitigations for these attacks.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, mining)