An unknown attacker targeted tens of thousands of unauthenticated Redis servers exposed on the internet to install a cryptocurrency miner.
It is not immediately known if all of these hosts were successfully compromised. However, this was made possible by a “lesser known technique” used to trick the servers into writing data to arbitrary files – a case of unauthorized access first documented in September 2018.
“The general idea behind this exploitation technique is to configure Redis to write its file-based database to a directory that contains a method to authorize a user (like adding a key to ‘.ssh/authorized_keys’) or a process starts (like adding a script after ‘/etc/cron.d’),” Censys said in a new article.
The attack surface management platform said it discovered evidence (e.g. Redis commands) pointing to efforts by the attacker to store malicious crontab entries in the /var/spool/cron/root file, leading to execution of a hosted shell script run on a remote server.
The shell script, which is still accessible, is designed to perform the following actions –
- Shut down security and system monitoring processes
- Clear log files and command histories
- Add a new SSH key (“backup1”) to the root user’s “authorized_keys” file to enable remote access
- Disable the iptables firewall
- Install scanning tools like Massscan and
- Install and run the XMRig cryptocurrency mining application
The SSH key is said to have been set on 15,526 out of 31,239 unauthenticated Redis servers, suggesting that the attack was attempted on “over 49% of the known unauthenticated Redis servers on the internet”.
However, a key reason why this attack might fail is that the Redis service needs to run with elevated privileges (i.e. root) in order for the attacker to write to the cron directory mentioned above.
“However, this may be the case when Redis is running in a container (like Docker) where the process could root itself and allow the attacker to write these files,” Censys researchers said. “But in this case, only the container is affected, not the physical host.”
Censys’ report also revealed that there are approximately 350,675 Internet-facing Redis database services spanning 260,534 unique hosts.
“While most of these services require authentication, 11% (39,405) do not,” the company said, adding, “Of the total of 39,405 unauthenticated Redis servers we observed, the potential data exposure is over 300 gigabytes .”
The top 10 countries with exposed and unauthenticated Redis services include China (20,011), US (5,108), Germany (1,724), Singapore (1,236), India (876), France (807), Japan (711 ), Hong Kong (512), the Netherlands (433) and Ireland (390).
China also leads when it comes to the amount of data disclosed per country with 146 gigabytes, while the US is a distant second at around 40 gigabytes.
Censys said it also found numerous instances of Redis services being misconfigured, noting that “Israel is one of the few regions where the number of misconfigured Redis servers outnumbers the properly configured ones.”
To mitigate threats, users are advised to enable client authentication, configure Redis to only run on internal network interfaces, prevent misuse of the CONFIG command by renaming it to something unpredictable, and configure firewalls to do so that Redis connections are only accepted from trusted hosts.