- There are 350,675 Internet-accessible Redis services from 260,534 unique hosts and 11% (39,405) of these services don’t require authentication.
- China has the most unauthenticated Redis services, while the USA is second. With 72.73% Israel has the highest percentage of misconfigured Redis installs.
- Censys noticed users’ reports on GitHub about a lesser-known attack technique, known as Redis Unauthorized Access Vulnerability.
A cybersecurity firm, Censys announced that they have discovered 39,405 unauthenticated Redis services out of 350,675 total Redis services on the public internet. Approximately 50% of these services are showing signs of an attempted compromise. An attacker is trying to install a cryptocurrency miner on these unauthenticated Redis servers exposed on the internet.
Databases exposed
According to the research of Censys, there are 350,675 Internet-accessible Redis services from 260,534 unique hosts. 11% (39,405) of these services don’t require authentication. With 20,011, China has the most unauthenticated Redis services, while the USA is second with 5,108. However, with 72.73% Israel has the highest percentage of misconfigured Redis installs. It is the only country where misconfigured Redis servers outnumber the properly configured ones.
By reviewing the known issues for Reddis, Censys noticed users’ reports about a lesser-known attack technique, known as Redis Unauthorized Access Vulnerability, targeting Redis. It aims to Redis servers into writing data to arbitrary files for years. It uses the service’s runtime configuration system against itself. An attacker can also set the configuration values remotely at runtime using the Redis messaging protocol. The technique focuses on configuring Redis to write its file-based database to a directory containing some method to authorize a user or start a process. It can cause:
- Stops and disables any running security-related process
- Stops and disables any running system monitoring processes
- Removes and purges all system and security-related log files, including shell histories (e.g., .bash_history).
- Adds a new SSH key to the root user’s authorized_keys file
- Disables the iptables firewall
- Installs several hacking and scanning tools such as “masscan”
- Installs and runs the cryptocurrency mining application XMRig
Censys said,
« Using the most recent list of unauthenticated Redis services running on TCP port 6379, we ran a one-time scan that simply looked for the existence of the key “backup1” (note: we did not fetch the value) on every host. We found that out of the 31,239 unauthenticated Redis servers in this list, 15,526 hosts had this key set. This means that someone attempted the attack described in this section on over 49% of known unauthenticated Redis servers on the Internet. »
In the whitepaper, Censys recommends administrators take the following steps in order to prevent the possible attacks on Redis instances:
- Enable client authentication in your Redis configuration file
- Configure Redis to only run on internal-facing network interfaces
- Disable the “CONFIG” command by running ‘rename-command CONFIG “”’ to avoid configuration abuse
- Configure your firewall only to accept Redis connections from trusted hosts