Cybersecurity software company Imperva reported that as much as 75 percent of the 72,000 public Redis (REmote DIctionary Server) installations are infected with malware found on honeypot traffic, according to Kacy Zurkus, writing for Infosecurity Magazine.
Imperva said that malicious values were found on three-fourths of the public Redis units, which is an indication of malware infection, while more than two-thirds of the public Redis had malicious keys. The infected servers with backup keys were attacked from a medium-sized botnet (610 IPs) with 86 percent of the IPs located in China, based on the honeypot traffic data.
Imperva team leader Nadav Avital speculated that the high percentage of infections was the result of the public Redis being directly exposed to the internet. Avital said such an arrangement is not advisable because it creates enormous security risks. He pointed out that the Redis should not be connected directly to the Internet because they store data in unencrypted plain text.
Redis can be used as an in-memory distributed database, cache or message broker. It should not be publicly exposed because it is designed to be accessed by trusted clients inside trusted environments.
The enormity of the problem was made plain visible within 24 hours after Imperva made public its research. Up to 295 IPs launched more than 70,000 attacks on the servers of Imperva customers through vulnerability scanners and crypto-mining infections. The attacks consisted of SQL injection, cross-site scripting, malicious file uploads, and remote code executions among others. Such a high number of cyber attacks could only mean that the attackers are exploiting vulnerable Redis to initiate further attacks.
Imperva also discovered secure socket shell keys that can illegally access servers and certificates that can illicitly decrypt network traffic, personally identifiable information, and other sensitive data.
The company is credited with unearthing the RedisWannaMine attack that propagates through open Redi and Windows servers in early 2018.