Over 39,000 Unauthenticated Redis Cases Discovered Uncovered on the Web {March 2023}

An unknown attacker focused tens of 1000’s of unauthenticated Redis servers uncovered on the web in an try to set up a cryptocurrency miner.

It is not instantly identified if all of those hosts had been efficiently compromised. Nonetheless, it was made doable by the use of a “lesser-known approach” designed to trick the servers into writing information to arbitrary information – a case of unauthorized entry that was first documented in September 2018.

“The overall thought behind this exploitation approach is to configure Redis to put in writing its file-based database to a listing containing some methodology to authorize a person (like including a key to ‘.ssh/authorized_keys’), or begin a course of (like including a script to ‘/and so on/cron.d’),” Censys mentioned in a brand new write-up.

The assault floor administration platform mentioned it uncovered proof (i.e., Redis instructions) indicating efforts on a part of the attacker to retailer malicious crontab entries into the file “/var/spool/cron/root,” ensuing within the execution of a shell script hosted on a distant server.

The shell script, which remains to be accessible, is engineered to carry out the next actions –

Terminate security-related and system monitoring processes
Purge log information and command histories
Add a brand new SSH key (“backup1”) to the foundation person’s authorized_keys file to allow distant entry
Disable iptables firewall
Set up scanning instruments like masscan, and
Set up and run the cryptocurrency mining software XMRig

The SSH key’s mentioned to have been set on 15,526 out of 31,239 unauthenticated Redis servers, suggesting that the assault was tried on “over 49% of identified unauthenticated Redis servers on the web.”

Nonetheless, a main motive why this assault might fail is as a result of the Redis service must be working with elevated permissions (i.e., root) in order to allow the adversary to put in writing to the aforementioned cron listing.

“Though, this may be the case when working Redis inside a container (like docker), the place the method would possibly see itself working as root and permit the attacker to put in writing these information,” Censys researchers mentioned. “However on this case, solely the container is affected, not the bodily host.”

Censys’s report additionally revealed that there are about 350,675 internet-accessible Redis database companies spanning 260,534 distinctive hosts.

“Whereas most of those companies require authentication, 11% (39,405) don’t,” the corporate mentioned, including “out of the whole 39,405 unauthenticated Redis servers we noticed, the potential information publicity is over 300 gigabytes.”

The highest 10 international locations with uncovered and unauthenticated Redis companies embody China (20,011), the U.S. (5,108), Germany (1,724), Singapore (1,236), India (876), France (807), Japan (711), Hong Kong (512), the Netherlands (433), and Eire (390).

China additionally leads in relation to the quantity of information uncovered per nation, accounting for 146 gigabytes of information, with the U.S. coming a distant second with roughly 40 gigabytes.

Censys mentioned it additionally discovered quite a few situations of Redis companies which were misconfigured, noting that “Israel is likely one of the solely areas the place the variety of misconfigured Redis servers outnumber the correctly configured ones.”

To mitigate threats, customers are suggested to allow consumer authentication, configure Redis to run solely on internal-facing community interfaces, forestall the abuse of CONFIG command by renaming it to one thing unguessable, and configure firewalls to just accept Redis connections solely from trusted hosts.