An unknown attacker tried to install a bitcoin miner on tens of thousands of unauthenticated Redis servers that were accessible via the internet.
If all of these hosts were successfully compromised is not yet known. However, it was made feasible via a lesser-known approach. This was created to mislead the servers into writing data to random files. This unauthorized access was first noted in September 2018.
The general concept behind this exploitation technique, according to a recent report from Censys, is to set up Redis to write its file-based database to a directory. The directory contains some methods to authorize a user (“.ssh/authorized keys”) or starting a process (“/etc/cron.d”).
A shell script stored on a remote server was executed as a result of the attacker’s attempts to place malicious crontab. The entries in the file “/var/spool/cron/root,” are according to the attack surface management platform. This evidence was found in the form of Redis instructions.
The still-accessible shell script is designed to carry out the following tasks:
- Put an end to system monitoring and security-related processes.
- Delete command history and logs
- To enable remote access, add a new SSH key (“backup1”) to the root user’s authorized keys file.
- Turn off the iptables firewall.
- Install scanning software such as Masscan, and
- Install and launch the XMRig bitcoin mining programme.
The data
15,526 out of 31,239 unauthenticated Redis servers are stated to have the SSH key set. It indicates that “almost 49% of known unauthenticated Redis servers on the internet” were the target of the attack.
However, the Redis service must be operating with elevated permissions (i.e., root) in order for the adversary to be able to write to the previously specified cron directory, which is one of the main reasons why this attack may fail.
However, putting Redis inside a container (like Docker) may result in the process believing it is operating as root. This allows the attacker to write these files, according to Censys researchers. But in this instance, only the container—not the physical host—is impacted.
The Censys research also identified 260,534 distinct hosts hosting around 350,675 internet-accessible Redis database services.
In contrast to the majority of these services, 11% (or 39,405) do not require authentication, the business noted. Adding to that “out of the total 39,405 unauthenticated Redis servers we discovered, the potential data exposure is over 300 terabytes”.
China (20,011), the United States (5,108), Germany (1,724), Singapore (1,236), India (876), France (807), Japan (711), Hong Kong (512), the Netherlands (433), and Ireland are the top 10 nations having exposed and unauthenticated Redis services (390).
China tops the list of nations with the most data exposed, accounting for 146 gigabytes, with the United States trailing far behind with just 40 gigabytes.
Mitigations
Countless instances of improperly configured Redis services were also discovered. According to Censys, who added that “Israel is one of the only regions where the number of improperly configured Redis servers outnumbers the properly configured ones.”
Users are encouraged to activate client authentication and set Redis to only run-on internal network interfaces. Also, change the name of the CONFIG command to something difficult to guess. Additionally set firewalls to only accept connections from trustworthy hosts in order to reduce threats.
