The total disregard for any security features in the creation of the Redis database server has come around to haunt the project years after, as Risk Based Security (RBS) is reporting on discovering 6,338 compromised Redis servers.
Redis is a NoSQL database server that’s ideal for storing data in the key-value format, using an in-memory system for handling the data and subsequent queries. According to statistics from DB-Engines,in terms of usage and popularity in 2015.
Because Redis was created with performance in mind, in a default configuration, the database doesn’t feature any type of authentication or other hardened security features.
SSH key creation exploit used to compromise Redis servers
This means that anyone can access its content just by knowing its IP and port. Even worse is that towards the end of 2015,appeared that allowed a third-party to store an SSH key in the authorized_keys file of any Redis server that doesn’t have an authentication system put in place.
There are over 30,000 Redis database servers without any authentication available online. According to RBS researchers, 6,338 of these servers have been compromised.
The company reached this conclusion after performing a non-intrusive scan using Shodan. RBS researchers’ interest peaked when they analyzed a hacked server that featured the “crackit” SSH key, which was attached to an email address [email@example.com] that they previously encountered in other incidents.
Scanning Shodan for open Redis servers that featured non-standard SSH keys, researchers found 5,892 instances of SSH keys tied to the email address firstname.lastname@example.org. They also found 385 keys for email@example.com and 211 keys for firstname.lastname@example.org.
The most common non-standard keys were “crackit”, “crackit_key”, “qwe”, “ck”, and “crack”. In total, RBS found 14 unique emails and 40 unique SSH keys combos. As RBS explained, these compromises looked to be the work of multiple groups or individuals.
Attackers didn’t target a specific Redis version, they hacked everything
As for compromised Redis database versions, researchers found 106 different versions, ranging from the very early 1.2.0 version up to the latest release, 3.2.1.
“While we were unable to get anyone to go on the record, it appears from our analysis that we have confirmation of two things, the first being that this is not a new issue, and second, some servers are sitting out there infected and are not being utilized for anything malicious,”.
The security firm recommends that webmasters update their Redis databases to the most recent version and activate “protected mode,” a security feature introduced in Redis with version 3.2.
These 6,338 servers are still exposed today, meaning that new threat actors can easily re-compromise them.