The vast majority of all the open Redis servers that are left open without any authentication system to protect already harbor malware. The report was made by an Imperva spokesperson. After running Redis-based honeypot servers for a few months, the company’s experts came to conclusion.
Through these honeypot servers, Imperva successfully discovered the campaign named ReddisWannaMine – a botnet which was mining cryptocurrency on open Redis servers. However, time went by and the data gathered from honeypot racked up. Now, the experts have noticed something special in the trends of their Redis test servers.
Same SSH keys reused
The most important thing to notice was that hackers were installing really old SSH keys in the compromised Redis server(s). Thus, they could access it later when necessary.
According to Imperva, they’ve noticed that different attackers were using the same SSH keys and/or values for carrying out the attacks. Now, when the presence of the same key is on multiple servers, it clearly indicates malicious activities.
Imperva experts collected all the common SSH keys and ran scans on all the exposed Redis servers for the presence of those keys.
Redis servers are compromised
On the internet, there are more than 72,000 Redis servers. According to Imperva, more than 10,000 of them responded to their scan request without any error. Thus, the researchers were able to determine the installed SSH keys.
According to them, they have identified that more than 75% of all the open servers held the familiar SSH key(s) that were used by malware botnet operation.
Old SSH keys in use
The researcher found one particular key to stand out. The key “crackit” is in use for years. This malicious key was present previously on about 6,300+ Redis servers back in July 2016. That time, the key was identified by Risk Based Security researchers.
Later, the key was spotted again in over 13,000 Redis servers that were compromised by ransomware, asking 2 BTC as the ransom. This time, the researchers of Duo Lab identified the issue.
Redis isn’t secure by default
Redis is a popular server type. Irrespective of the fact that the malicious SSH keys are present, Redis doesn’t come up with secure-by-default configuration. Unfortunately, most users set up the server aren’t aware of it.
According to the documentation of the official Redis server, Redis is designed for closed IT networks. That’s why it doesn’t come up with pre-configured security measures like access control mechanism enabled. Server admins must enable the option manually to enable authentication system.
Nadav Avital from Imperva said that Redis doesn’t have default authentication and shouldn’t be put online as the data there are stored in clear text.
If you’re a Redis server owner, enable the security mechanisms today for preventing any abuse of your server.
