Fake Ransomware Targets Redis Instances

UPDATE–Researchers have found that more than 18,000 instances of the Redis data store service are exposed to the Internet and open to complete compromise by remote attackers using simple commands.

Duo Labs researchers set up a Redis honeypot and ran it for a month, looking for attack patterns and quickly found that attackers are actively scanning for Redis instances online and they know the commands to use in order to compromise the exposed instances. The Redis developers advise users not to expose instances to the Internet, as the software is designed to be used inside a trusted environment and accessed by trusted clients. But, like most security advice, it isn’t always heeded.

“Redis stores data in key/value pairs. Clients connect to a Redis instance and issue commands to get/set data (GET/SET), retrieve system statistics (INFO), or even make configuration changes (CONFIG),” Jordan Wright, a research and development engineer at Duo Labs, said in a post on the research findings.

“This attack looks to rely on fear to try and get people to pay for files that no longer exist.”

“If Redis instances are exposed directly to the Internet, a malicious hacker could view and modify the stored data. They could also remotely configure the instance, leading to the complete compromise of the device. With this in mind, let’s see how many instances of Redis don’t follow these rules and are openly available on the Internet.”

In an interview, Wright said the idea for the project came out of some work he’d done on Elasticsearch, and he was interested in seeing how people were configuring and using Redis.

“It’s one of those things people spin up quickly and easily and has some really glaring security issues with it. I wanted to see how many were vulnerable and how much data was sitting out there,” Wright said.

Duo used the Shodan API to scan for Redis instances available on the Internet, and found more than 18,000, nearly all of which were running out-of-date versions of the software. After looking at the data from the vulnerable hosts, the researchers discovered a key called “crackit” was being added to many instances, with a public SSH key as the associated value. Attackers could log in to those instances later as the root user with that key. Wright set up a Redis honeypot to collect information on attackers’ tactics.

“The honeypot exposes a vulnerable instance of Redis to the Internet. Then, we set up a modified instance of the cowrie honeypot to only listen for SSH connections using key-based authentication,” Wright said.

Once on the honeypot, one attacker executed a series of commands that deleted all of the existing keys on the instance, added the attacker’s key as root, and then allows the attacker to connect as root. Later, the attacker tried to erase large amounts of data on the host and left a ransomware note, though it appeared to be just an empty threat.

“The note suggests that files have been encrypted and sent to a remote server, but we saw no indications of this happening. This attack looks to rely on fear to try and get people to pay for files that no longer exist,” Wright said.

Several other attacks of the same kind were seen from 15 unique IP addresses. To protect exposed instances of Redis, Wright suggested that users set up an AUTH password for all connections and either rename or disable the CONFIG command so that it isn’t reachable by remote adversaries.

“There are different actors out there looking at Redis and we caught quite a few of them,” Wright said. “Some would install standard backdoors, but what I wanted to find was someone using that cricket SSH key, and it was all over the place.”

This story was updated on Sept. 1 to add comments from Wright.