The Redis Rush

Chris Hall
Cloud Security Researcher, Lacework Labs

Redis has been heavily targeted for years and recent activity shows it is more popular than ever with attackers. There are several reasons for this: zero security for the base image, easily discoverable, and easily exploited. This makes Redis the ultimate low-hanging-fruit when targeting cloud infrastructure. This blog provides trending on Redis targeting in the wild and includes indicators and tools that you can use for your own threat intelligence purposes.

The ease with which Redis can be exploited means that a successful attack often depends on how quickly vulnerable hosts can be scanned and identified. To that end, there are numerous attackers rushing to be the first to take over your newly spawned Redis container. While a honeypot would demonstrate this, we found Shodan to be a more useful tool especially for identifying attackers. 

If a Redis server is open to the internet, then scanners such as Shodan can connect and send an ‘info’ command which returns the server’s full configuration data. This data includes records of connected clients which can allow us to derive indicators on attackers. For example,  attacker hosts can be identified by searching for the Redis ‘master_host’ value in the info output. 

In many cases, these master hosts are actually “rogue servers” meaning they were configured by an attacker. (Examples of this tactic can be found on Github) Establishing a rogue server can enable a shell and/or the ability to run a payload on the Redis host. In most cases this payload consists of a cryptomining installer. Figure 1 shows this data as it’s presented in the Shodan interface.

  

Figure 1. Rogue servers, clients & commands

Redis scanners are also observable in the connected clients portion of Redis information. By inspecting the cmd parameter in the client connection record (in Figure 1), we can see if the host simply just connected to the server port (6379) or attempted to run commands with the Redis cli. For example, also in Figure 1, IP address 119.45.34.13 was observed issuing a ‘flushall’ command. The flushall command deletes all the keys for the existing databases so this suggests the attacker attempted to drop their own SSH key onto the Redis server. By filtering on these commands, the legitimate scanners can be distinguished from the likely attackers.

Using the Shodan API, we first identified all reported hosts. Currently, there are over 30K however many do not contain any Redis configuration data. To filter those ones out you can run the following:

Shodan query

description

port:”6379″ “Connected Clients”

finds Redis with Client Connections

master_host port:”6379″

finds Redis replication data and lists master host

Table 1. Redis Queries

Our Redis collection tool shows the IP, the number of unique Redis servers the host connected to, as well as the issued commands. In total 43005 IPs were extracted from Redis client connection data in Shodan. The IPs seen connecting to the most servers were either not observed issuing any commands or they only sent an ‘info’ command to return the configuration. Filtering these mass scanners out leaves 33K hosts seen issuing one or more Redis commands. Another good filter is the number of unique Redis servers. If the host sent commands to three or more servers then there is higher probability the IP is engaged in offensive operations.

Redis scanner

Targeted servers

lastseen

ports

commands

asn

country

193.106.30.23

1316

9/26/2020 0:00

(high ports)

none

50297:Infium, UAB

Ukraine

193.118.53.218

1010

9/26/2020 0:00

(high ports)

info

21859:ZNET

Germany

202.107.226.5

1004

9/26/2020 0:00

(high ports)

info

4134:Chinanet

China

192.35.169.48

976

9/26/2020 0:00

(high ports)

none

237:MERIT-AS-14

United States

202.96.99.83

940

9/26/2020 0:00

(high ports)

info

4134:Chinanet

China

183.129.159.243

824

9/26/2020 0:00

(high ports)

info

4134:Chinanet

China

202.107.226.3

811

9/26/2020 0:00

(high ports)

info

4134:Chinanet

China

183.129.159.245

799

9/26/2020 0:00

(high ports)

info

4134:Chinanet

China

45.148.122.152

781

9/26/2020 0:00

(high ports)

info

config

slaveof

get

64425:SKB Enterprise B.V.

Netherlands

202.107.207.226

766

9/26/2020 0:00

(high ports)

info

4134:Chinanet

China

Table 2:. Redis client data and commands

The following shows the most frequently observed Redis commands. The client command was by far the most common. There are several tasks related to this command and it is unclear what actions were being performed. The command can be used to list and kill connections so it may have been leveraged to identify and terminate connections from competing attackers which is a common tactic in cryptojacking campaigns. 

  

Figure 2. Commands from Client connections

Mapping client IPs to ASN data and host country revealed the leading sources for Redis scanning. At the top of the list is ASN 4134 Chinanet aka No.31 Jin-rong Street. This ASN also accounts for a large portion of general scanning, botnet activity, and targeted attacks. In total, a quarter of all client connections originated from China. If you only count the high confidence hits (3 or more connections) then that increases to 60%.

  

Figure 3. Source ASNs

More interesting outputs from Shodan include rogue Redis servers which can be gleaned from the master host data. While there are tens of thousands of Redis scanners out there, the lion’s share of vulnerable instances appears to have been exploited by a small few. Among the 1254 compromised Redis instances reported via Shodan, only 11 rogue servers were identified. And between those there only appears to be 2-3 sets of activity including hosts attributed to prolific cryptojackers known as Kinsing. In a previous blog, we reported on a Kinsing rogue server with a master port of 8886. This port is still in use and there have been at least 331 Redis instances in communication with 7 Kinsing rouge servers over the past 30 days.

rogue server

Redis instances

lastseen

ports

asn

cc

45.148.122.152

691

9/26/2020 0:00

random high ports

64425:SKB Enterprise B.V.

Netherlands

165.227.102.206

122

9/26/2020 0:00

random high ports

14061:DIGITALOCEAN-ASN

United States

195.123.246.63

105

9/13/2020 0:00

[8886]

204957:ITL-Bulgaria Ltd.

Czechia

45.148.122.184

102

9/26/2020 0:00

random high ports

64425:SKB Enterprise B.V.

Netherlands

195.123.228.32

66

9/1/2020 0:00

[8886]

59729:ITL LLC

Bulgaria

5.34.183.14

45

9/23/2020 0:00

[8886]

15626:ITL LLC

Ukraine

45.10.88.124

42

9/26/2020 0:00

[8886]

48693:Rices Privately owned enterprise

Ukraine

93.189.42.250

31

9/22/2020 0:00

[8886]

41853:Limited Liability Company NTCOM

Russia

45.153.231.22

26

9/21/2020 0:00

[8886]

44094:Webhost LLC

Russia

5.34.183.145

20

9/23/2020 0:00

[8886]

15626:ITL LLC

Ukraine

144.217.207.15

4

9/16/2020 0:00

[1323]

16276:OVH SAS

Canada

Table 3: Rogue server data

Two other rouge servers within the same subnet (45.148.122.0/24, 64425:SKB Enterprise B.V.) have been linked to 794 Redis compromises. Unlike Kinsing, these are using random high ports. Multiple hosts within the 45.148.122.0/24 subnet have also been linked to scanning and Mirai activity and the IP 45.148.122.152 was also observed as top scanner in Table 1.  The third possible set of activity is also leveraging high ports for their rouge server: 165.227.102.206 (14061:DIGITALOCEAN-ASN). This host also appears to be cryptojacking related as its been observed hosting a known cryptomining payload dubbed “kpsmoused.” Figure 5 illustrates these rouge servers. 

Figure 4. Rogue Servers

So long as Redis remains easy to exploit, then we can expect the same level of targeting to continue. This is especially true when deploying Redis via Docker containers. Since version 3.2.0, Redis enters ‘protected mode’ upon installation. Protected mode only allows connections from loop-back interfaces to prevent exposure to the internet. 

Unfortunately, protected mode is disabled by default in the Redis Docker image. Although there is a warning about this in Redis’ Docker documentation, it is clearly not sufficient to prevent unauthorized access. This makes it more important than ever to lock down your Redis instances!

Indicators sourced for this blog are available here. We recommend you periodically run the Redis collection script to generate a recent list. If you found this blog useful then please share and follow us on Twitter!

 

 

Categories

Suggested for you