Redis (Remote Dictionary Server) is a non-relational database management system for storing and managing unstructured data in a key-value structure. Unstructured data is raw data that cannot be filtered without a fixed format, and it includes various formats like web logs, XML, JSON, images, texts, audio and video files, and more.

Redis supports asynchronous replication, which has the advantage of maintaining copies of the same data on multiple servers. Therefore, should the main server fail, requests are distributed to multiple servers to quickly enable improved read and recovery of the main server. For this reason, it is a system used by many people. 

Hacked Redis Server Spreading Coin Mining Malicious Code 

This article describes a case where an attacker accessed a server running Redis service with insufficient authentication and infected it as a bitcoin miner. 

In order to identify externally exposed Redis products, you can obtain information on a total of 26,373 exposed Redis servers by searching “product:redis” on Criminal IP Asset Search

Search Query: “product: redis”

Search Results of "product:redis" on Criminal IP, A Total of 26,373 Exposed Redis Servers
Search results of “product:redis” on Criminal IP, a total of 26,373 exposed Redis servers

If you look at the countries, we can see that China uses the most exposed Redis systems

Exposed Redis Servers by Countries Statistics, China Has the Most Exposed Redis Server
Exposed Redis servers by countries statistics, China has the most exposed Redis server

Exposed Redis Server With Insufficient Authentication

If you access the Redis service activated with redis_cli [target_ip], the following notice is shown if authentication is enabled. 

“(error) NOAUTH Authentication required”

"[ERROR] NOAUTH Authentication required" Notice Shown on Safe Redis Server
“(error) NOAUTH Authentication required” notice shown on the secure Redis server

However, if there is no authentication, the server can be accessed immediately, as shown in the image below. Exposed data can be checked through “keys *”.

Page of Redis Server with Insufficient Authentication, Data Gets Leaked Through "keys *"
Page of Redis server with insufficient authentication, data gets leaked through “keys *”

Exposed Redis Server Infected by Monero Coin Mining Malicious Code 

From accessing the server data, we found a common suspicious pattern that all led to “cleanfda” 

Page of Accessing Data of Exposed Redis Server, Discovered Suspicious Pattern
A screen where specific data was accessed on an exposed  Redis  server, and a suspicious pattern was discovered

After searching the details of the exposed domain on Criminal IP Domain Search, we can confirm that the domain was written by the bash shell script.

Search Results for Suspicious URL Discovered on Exposed Redis Server Using Criminal IP Domain Search, Written by bash shell script
Search Results for Suspicious URL Discovered on Exposed Redis Server Using Criminal IP Domain Search, Written by bash shell script
Search results for suspicious URL discovered on exposed Redis server using Criminal IP Domain search, written by the bash shell script

If you access the URL and inspect the bash shell script closely, we can see that Monero coin mining script is running on this server.

Analysis Result of Suspicious Domain's Script Discovered on Exposed Redis Server Found to be Monero Coin Mining Script Running
Analysis result of suspicious domain’s script discovered on exposed Redis server found to be Monero coin mining script running

How to Prevent Redis Server From Being Hacked 

To prevent operating Redis servers from being exploited for coin mining, server administrators set security settings as follows:

  • Disable the use of default IP when binding Redis service on Docker (Not 0.0.0.0 but 127.0.0.1)
  • Check firewall settings to block suspicious IPs from accessing and make sure that authenticated users are white-listed
  • Periodically check the Redis server is not exposed and the authentication is not missing through Criminal IP

Please refer to our search tip article on detecting exposed Redis commander and analysis article on cryptocurrency mining malicious code.


데이터 출처 : Criminal IP(https://www.criminalip.io/)

관련 글 :