Researchers report that more than a thousand Redis servers were infected with custom malware called HeadCrab.
Malware created endpoints (opens in a new tab) My Monero, a privacy-oriented cryptocurrency, is also a favorite of hackers.
Nautilus’ cybersecurity division from Aqua Security discovered a botnet spanning 1,200 Redis servers that had been infected over the past year and a half. The servers are located in the United States, the United Kingdom, Germany, India, Malaysia, China and other countries, and there is no other link except for the Redis server.
Authentication is off by default
Researchers Asaf Eitani and Nitzan Yaakov said: “The victims appear to have little in common, but the attackers appear to be primarily targeting Redis servers and have a deep understanding and expertise in Redis modules and APIs, as demonstrated by the malware .”
It turns out that open-source Redis database servers have authentication turned off by default, allowing threat actors to access them and execute code remotely without authenticating as users. Apparently, many Redis users forgot to turn on authentication, exposing their endpoints to attackers.
Additionally, Redis Cluster uses master-slave servers for data replication and synchronization, allowing an attacker to use the default SLAVEOF command and set the target endpoint as a slave of a Redis server they already control. This allowed them to deploy the HeadCrab malware.
The researchers don’t know who’s behind the campaign, but looking at their cryptocurrency wallets deduce that they’re making about $4,500 per infected device per year.
“We noticed that the attackers went to great lengths to ensure their attacks were stealthy,” the researchers added.
Monero is arguably the most popular cryptocurrency among hackers who engage in cryptojacking. Over the years, there have been countless reports of criminals deploying XMRig, a popular Monero miner, to servers and data centers around the world, charging victims huge electricity bills while rendering their servers virtually unusable.
pass: register (opens in a new tab)