Open Redis Servers Infected with Malware

After scanning 72,000 publicly available Redis (REmote DIctionary Server) servers with attack keys garnered through honeypot traffic, Imperva today reported that 75% of the publicly available Redis servers were hosting the attacks registered in the honeypot. 

Three-quarters of the servers contained malicious values, which Imperva said is an indication of infection, and more than two-thirds of the open Redis servers contained malicious keys. The honeypot data also revealed that those infected servers with "backup" keys were attacked from a medium-sized botnet (610 IPs) with 86% of the IPs located in China.

Security research team leader at Imperva, Nadav Avital wrote in a blog post today that the high percentage of infections was most likely because they are being directly exposed to the internet. "However, this is highly unrecommended and creates huge security risks." 

Earlier this year, Imperva reported on the RedisWannaMine attack, which propagates through open Redi and Windows servers. Since then, the researchers have learned of additional attacks. 

A tool with many attributes, Redis can be used as an in-memory distributed database, cache or message broker. Because it is designed to be accessed by trusted clients inside trusted environments, Redis should not be publicly exposed.

"To help protect Redis servers from falling victim to these infections, they should never be connected to the internet and, because Redis does not use encryption and stores data in plain text, no sensitive data should ever be stored on the servers," Avital wrote. 

"Security issues commonly arise when people don’t read the documentation and migrate services to the cloud, without being aware of the consequences or the adequate measures that are needed to do so," he continued. 

The research revealed the magnitude of the problem within 24 hours of being made public. Once publicly available, the servers of Imperva customers were targeted by vulnerability scanners and crypto-mining infections and attacked more than 70,000 times by 295 IPs.

"The attacks included SQL injection, cross-site scripting, malicious file uploads, remote code executions etc. These numbers suggest that attackers are harnessing vulnerable Redis servers to mount further attacks on the attacker’s behalf," Avital said. 

"As a side note, going through the huge amount of publicly available data, we found private SSH keys that can be used to access servers, certificates that can be used to decrypt network traffic, PII, and more sensitive data," he said.

What’s Hot on Infosecurity Magazine?