75% of Redis servers contain malware, research reveals
31 May 2018
Security researchers at Imperva recently discovered that as many as 75 percent of Redis servers contained malicious values and two-thirds of them contained malicious keys that made them vulnerable to medium-sized botnet attacks, 86 percent of which were launched from China.
A Redis server (REmote DIctionary Server) is an open-source in-memory database, cache and message broker that supports data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperlogs and geospatial indexes with radius queries.
Sponsored by Redis Labs, these servers are quite popular key-value databases and are among the top-rated NoSQL databases in use across the world. Among top multinational firms that use Redis servers are Microsoft, Mastercard, DreamWorks, American Express, Home Depot and Vodafone.
Redis servers being exposed to the Internet
Despite being used by the crème de la crème, Redis servers are meant to be used only in trusted environments where only trusted clients can access the database, which means that if they are exposed to the Internet or environments where untrusted clients can directly access the Redis TCP port or UNIX socket, they can be easily compromised or infiltrated by malicious actors.
This is because of various reasons. Firstly, Redis servers do not come with authentication enabled by default and feature a layer of authentication that is optional. Secondly, Redis does not support encryption which entails that all data is stored in plain text and can be accessed by unauthorised actors if such servers are exposed to public environments.
“Our research has revealed that 75 percent of open Redis servers are infected with malware, which is most likely because they are being directly exposed to the internet. However, this is highly unrecommended and creates huge security risks,” said Nadav Avital, security research team leader at Imperva.
“To help protect Redis servers from falling victim to these infections, they should never be connected to the internet and, because Redis does not use encryption and stores data in plain text, no sensitive data should ever be stored on the servers,” he added.
When researchers at Imperva made a test Redis server publicly-available to gauge the magnitude of the problem, they observed that within the first 24 hours of being made public, the server was targeted by vulnerability scanners, simple crypto mining infections and crypto mining worms.
They also observed that different attackers used the same keys and/ or values to carry out attacks on Redis servers which indicated that all such attacks were part of a single botnet attack campaign.
“In the last month alone, Imperva customers were attacked more than 70K times by 295 IPs that run publicly available Redis servers. The attacks included SQL injection, cross-site scripting, malicious file uploads, remote code executions etc. These numbers suggest that attackers are harnessing vulnerable Redis servers to mount further attacks on the attacker’s behalf,” they added.