Active Exploitation of Vulnerable Redis Servers

Published on 04 Oct 2022

Updated on 05 Oct 2022

Security researchers have released an advisory on vulnerable Redis servers being actively exploited. Threat actors were observed to utilise several Redis keys, affixed with the string "backup", to store malicious codes on these Redis servers, which could then be remotely executed at a predetermined time.

Successful exploitation could allow the attacker to manipulate system monitoring processes and log files, add new SSH keys to the root user’s authorized_keys file, disable the iptables firewall, install hacking and scanning tools, as well as execute cryptocurrency mining applications such as XMRig.

To mitigate access from unauthorised entities, administrators of Redis servers are advised to:
•            Enable client authentication in your Redis configuration file
•            Configure Redis to only run on internal-facing network interfaces
•            Disable the “CONFIG” command by running ‘rename-command CONFIG “”’ to avoid configuration abuse
•            Configure your firewall to only accept Redis connections from trusted hosts.

More information is available here:
https://securityaffairs.co/wordpress/136045/hacking/redis-cryptocurrency-campaign.html
https://censys.io/databases-exposed-redis/