[German]Disturbing discovery: The vast majority of Redis servers that are left open on the Internet without an authentication are most likely hosting malware. This was the conclusion reached by experts at security provider Imperva after operating Redis-based honeypot servers in recent months.
Advertising
What is a Redis server
If you are running a Redis server, you will have enough clues to skip this explanation. For the rest of the blog readers some short explanations. According to Wikipedia:
Redis is an open-source in-memory database project implementing a distributed, in-memory key-value store with optional durability. Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, sorted sets, hyperloglogs, bitmaps and spatial indexes..
Open Redis servers are infected
Bleeping Computer reported here some details, obtained from experts from security provider Imperva. This company has operated Redis-based honeypot servers in recent months. The Crypto-Miner ReddisWannaMine, which attacks open Redis servers operated without access data, has already been discovered.
Reuse of SSH keys reveals botnet operations
When observing the Honeypot Redis servers, a pattern was noticed. Attackers repeatedly installed SSH keys on the compromised Redis server for later access. Apparently, the SSH keys were used by a botnet.
We found that different attackers use the same keys and/or values to execute attacks," Imperva said, "a shared key or value between multiple servers is a clear sign of malicious botnet activity."
Advertising
Imperva experts took the SSH keys collected via Honey Pot and openly scanned Redis servers available on the Internet for the presence of these keys. According to Shodan, around 72,000 Redis servers are available on the Internet. Over 10,000 of these servers responded to a scan and did not cause an error. This enabled the security experts to check the locally installed SSH. Over 75% of these servers use an SSH key that is known to be connected to a malware botnet operation.
Some servers have been using such SSH keys for 2 years, because Redis is not secured by default. Details can be found in the article by Bleeping Computer. Question: Do any of you run Redis servers with Internet access?
Pingback: Directory of Internet Secuirty Issues – IT Security