An unknown attacker targeted tens of thousands of unauthenticated Redis servers exposed on the internet in an attempt to install a cryptocurrency miner.
It's not immediately known if all of these hosts were successfully compromised. Nonetheless, it was made possible by means of a "lesser-known technique" designed to trick the servers into writing data to arbitrary files – a case of unauthorized access that was first documented in September 2018.
"The general idea behind this exploitation technique is to configure Redis to write its file-based database to a directory containing some method to authorize a user (like adding a key to '.ssh/authorized_keys'), or start a process (like adding a script to '/etc/cron.d')," Censys said in a new write-up.
The attack surface management platform said it uncovered evidence (i.e., Redis commands) indicating efforts on part of the attacker to store malicious crontab entries into the file "/var/spool/cron/root," resulting in the execution of a shell script hosted on a remote server.
The shell script, which is still accessible, is engineered to perform the following actions -
- Terminate security-related and system monitoring processes
- Purge log files and command histories
- Add a new SSH key ("backup1") to the root user's authorized_keys file to enable remote access
- Disable iptables firewall
- Install scanning tools like masscan, and
- Install and run the cryptocurrency mining application XMRig
The SSH key is said to have been set on 15,526 out of 31,239 unauthenticated Redis servers, suggesting that the attack was attempted on "over 49% of known unauthenticated Redis servers on the internet."
However, a primary reason why this attack could fail is because the Redis service needs to be running with elevated permissions (i.e., root) so as to enable the adversary to write to the aforementioned cron directory.
"Although, this can be the case when running Redis inside a container (like docker), where the process might see itself running as root and allow the attacker to write these files," Censys researchers said. "But in this case, only the container is affected, not the physical host."
Censys's report also revealed that there are about 350,675 internet-accessible Redis database services spanning 260,534 unique hosts.
"While most of these services require authentication, 11% (39,405) do not," the company said, adding "out of the total 39,405 unauthenticated Redis servers we observed, the potential data exposure is over 300 gigabytes."
The top 10 countries with exposed and unauthenticated Redis services include China (20,011), the U.S. (5,108), Germany (1,724), Singapore (1,236), India (876), France (807), Japan (711), Hong Kong (512), the Netherlands (433), and Ireland (390).
China also leads when it comes to the amount of data exposed per country, accounting for 146 gigabytes of data, with the U.S. coming a distant second with roughly 40 gigabytes.
Censys said it also found numerous instances of Redis services that have been misconfigured, noting that "Israel is one of the only regions where the number of misconfigured Redis servers outnumber the properly configured ones."
To mitigate threats, users are advised to enable client authentication, configure Redis to run only on internal-facing network interfaces, prevent the abuse of CONFIG command by renaming it to something unguessable, and configure firewalls to accept Redis connections only from trusted hosts.