Over a thousand Redis servers hijacked to mine crypto

Default settings allowed crooks easy access

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

UPDATE: In a statement, Redis told TechRadar Pro that it was, “very supportive of the cybersecurity research community, and we want to recognize AquaSec for getting this report out to benefit the Redis community. Their report shows the potential dangers of mis-configuring Redis. We encourage all Redis users to follow the security guidance and best practices published within ouropen sourceandcommercialdocumentation. We also offer a free security course, as part of Redis University, which covers both our open source and commercial offerings.”

“We should note that there are no signs that Redis Enterprise software or Redis Cloud services have been impacted by these attacks.”

More than a thousand Redis servers were infected by custom-builtmalwarecalled HeadCrab, researchers have reported.

The malware made theendpointsmine Monero, a privacy-oriented cryptocurrency, and a hacker favorite.

Cybersecurity from Aqua Security’s Nautilus discovered a botnet spanning 1,200 Redis servers, which were infected in the last year and a half. The servers were located in the US, the UK, Germany, India, Malaysia, China, and other countries, and besides being Redis servers, have no other links.

Authentication off by default

“The victims seem to have little in common, but the attacker seems to mainly target Redis servers and has a deep understanding and expertise in Redis modules and APIs as demonstrated by the malware,” researchers Asaf Eitani and Nitzan Yaakov said.

As it turns out, open-source Redisdatabaseservers have authentication off by default, allowing threat actors to access them and execute code remotely, without needing to authenticate as a user. Apparently, many Redis users forgot to switch the authentication feature on, exposing their endpoints to attackers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

What’s more, Redis clusters use master and slave servers for data replication and synchronization, allowing the attackers to use the default SLAVEOF command and set the target endpoint as a slave to a Redis server they already control. That allows them to deploy the HeadCrab malware.

Windows and Linux servers turned into crypto miners>This new Linux malware floods machines with cryptominers and DDoS bots>Check out the best firewalls around

The researchers don’t know who hides behind the campaign, but looking at their cryptocurrency wallets, deduced that they bring in about $4,500 per infected device, a year.

“We have noticed that the attacker has gone to great lengths to ensure the stealth of their attack,” the researchers added.

Monero is arguably the most popular cryptocurrency among hackers engaging in cryptojacking. Over the years there had been countless reports of criminals deploying XMRig, a popular Monero miner, to servers and data centers around the world, raking up huge electricity bills to the victims, all the while rendering their servers practically useless.

Via:The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case