Over 39,000 Unauthenticated Redis Instances Found Exposed on the Internet

An unknown attacker targeted tens of thousands of unauthenticated Redis servers exposed on the internet to install a cryptocurrency miner.

It is not immediately known if all of these hosts were successfully compromised. However, this was made possible by a “lesser known technique” used to trick the servers into writing data to arbitrary files – a case of unauthorized access first documented in September 2018.

“The general idea behind this exploitation technique is to configure Redis to write its file-based database to a directory that contains a method to authorize a user (like adding a key to ‘.ssh/authorized_keys’) or a process starts (like adding a script after ‘/etc/cron.d’),” Censys said in a new article.

Internet security

The attack surface management platform said it discovered evidence (e.g. Redis commands) pointing to efforts by the attacker to store malicious crontab entries in the /var/spool/cron/root file, leading to execution of a hosted shell script run on a remote server.

The shell script, which is still accessible, is designed to perform the following actions –

  • Shut down security and system monitoring processes
  • Clear log files and command histories
  • Add a new SSH key (“backup1”) to the root user’s “authorized_keys” file to enable remote access
  • Disable the iptables firewall
  • Install scanning tools like Massscan and
  • Install and run the XMRig cryptocurrency mining application
Also Read :  Here's How To Get The Best Internet Experience In Your Home

The SSH key is said to have been set on 15,526 out of 31,239 unauthenticated Redis servers, suggesting that the attack was attempted on “over 49% of the known unauthenticated Redis servers on the internet”.

However, a key reason why this attack might fail is that the Redis service needs to run with elevated privileges (i.e. root) in order for the attacker to write to the cron directory mentioned above.

Also Read :  Church leader drops note during Queen's funeral and internet loses it

“However, this may be the case when Redis is running in a container (like Docker) where the process could root itself and allow the attacker to write these files,” Censys researchers said. “But in this case, only the container is affected, not the physical host.”

Internet security

Censys’ report also revealed that there are approximately 350,675 Internet-facing Redis database services spanning 260,534 unique hosts.

“While most of these services require authentication, 11% (39,405) do not,” the company said, adding, “Of the total of 39,405 unauthenticated Redis servers we observed, the potential data exposure is over 300 gigabytes .”

The top 10 countries with exposed and unauthenticated Redis services include China (20,011), US (5,108), Germany (1,724), Singapore (1,236), India (876), France (807), Japan (711 ), Hong Kong (512), the Netherlands (433) and Ireland (390).

Also Read :  “Conor McGregor In The Van Damme Role!"- Conor McGregor’s Sylvester Stallone Inspired Post ‘With A Big M60 Gun Like Rambo’ Breaks The Internet

China also leads when it comes to the amount of data disclosed per country with 146 gigabytes, while the US is a distant second at around 40 gigabytes.

Censys said it also found numerous instances of Redis services being misconfigured, noting that “Israel is one of the few regions where the number of misconfigured Redis servers outnumbers the properly configured ones.”

To mitigate threats, users are advised to enable client authentication, configure Redis to only run on internal network interfaces, prevent misuse of the CONFIG command by renaming it to something unpredictable, and configure firewalls to do so that Redis connections are only accepted from trusted hosts.

Source link