UPDATE: In a statement, Redis told TechRadar Pro that it was “is very supportive of the cybersecurity research community and we want to give credit to AquaSec for publishing this report for the benefit of the Redis community. Their report shows the potential dangers of misconfiguring Redis. We encourage all Redis users to follow the security guidelines and best practices published on our site open source (opens in a new tab) AND commercial (opens in a new tab) documentation. We also offer a free security course through Redis University that covers both our open source and commercial offerings.”
“It should be noted that there is no indication that Redis Enterprise or Redis Cloud services are affected by these attacks.”
More than a thousand Redis servers have been infected with custom malware called HeadCrab, according to researchers.
Malware created endpoints (opens in a new tab) mine Monero, a privacy-oriented cryptocurrency and a favorite of hackers.
Aqua Security’s Nautilus cybersecurity discovered a botnet of 1,200 Redis servers that had been infected over the past year and a half. The servers were located in the US, UK, Germany, India, Malaysia, China, and elsewhere, and other than being Redis servers, they have no other links.
Authentication disabled by default
“The victims appear to have little in common, but the attacker seems to be targeting Redis servers mainly, and has a deep understanding and expertise in Redis modules and APIs, as evidenced by the malware,” said researchers Asaf Eitani and Nitzan Yaakov.
As it turns out, open source Redis database servers have authentication turned off by default, allowing cybercriminals to access them and execute code remotely without having to authenticate as a user. Apparently, many Redis users forgot to enable the authentication feature, exposing their endpoints to attacks.
Furthermore, Redis clusters use master and slave servers to replicate and synchronize data, allowing attackers to use the default SLAVEOF command and make the target endpoint slave to a Redis server they already control. This allows them to deploy the HeadCrab malware.
The researchers do not know who is behind the campaign, but looking at their cryptocurrency wallets, they deduce that they bring in around $4,500 a year per infected device.
“We noticed that the attacker went to great lengths to ensure that his attack was concealed,” the researchers added.
Monero is probably the most popular cryptocurrency among cryptojacking hackers. Over the years, there have been countless reports of criminals deploying XMRig, the popular Monero miner, on servers and data centers around the world, charging victims huge electricity bills while rendering their servers virtually unusable.
By: Register (opens in a new tab)