Are attackers harnessing your Redis server?
Earlier this year security researchers warned about vulnerable Apache Solr, Redis, and Windows servers hit with cryptominers.
Imperva now says that that are still too many Internet-facing Redis servers and that 75% of them show signs of having been infected with malware.
Testing open Redis servers
“Redis is a great tool, it can serve as in-memory distributed database, cache or a message broker and is widely popular,” the researchers note.
But Redis servers are designed to be accessed by trusted clients inside trusted environments, have not default authentication, and all the data is stored in clear text.
Unfortunately, a simple Shodan search shows that there are 72,000 publicly available ones.
And, after setting up their own honeypot Redis servers and them starting getting probed (vulnerability scans) and bombarded with attacks (simple crypto mining infections and crypto mining worms) within a day, the researchers decided to see how many of those open servers sport malicious keys and values that they saw in their honeypot data.
The result? Only 10,000 of the servers replied to their scan attempts without an error, but of those most showed signs of compromise.
“Unsurprisingly, more than two-thirds of the open Redis servers contain malicious keys and three-quarters of the servers contain malicious values, suggesting that the server is infected. Also according to our honeypot data, the infected servers with ‘backup’ keys were attacked from a medium-sized botnet located at China (86% of IPs),” the researchers shared.
“In the last month alone, Imperva customers were attacked more than 75k times, by 295 IPs that run publicly available Redis servers. The attacks included SQL injection, cross-site scripting, malicious file uploads, remote code executions etc. These numbers suggest that attackers are harnessing vulnerable Redis servers to mount further attacks on the attacker’s behalf.”
They advise administrators to remove the exposed Redis servers from the Internet and check whether they have been infected. It’s also a good idea to run Redis with the minimal privileges necessary.