A recent run of attacks against Linux servers called Fairware has been traced to insecure internet-facing Redis installations that hackers have abused to delete web folders and, in some cases, install malicious code.
Redis is an open source tool used by web application developers for the purpose of quickly caching data. The tool’s developers configured Redis to be accessed only by trusted clients inside trusted environments, and are adamant that Redis instances are not meant to be exposed to the internet.
Researchers at Duo Labs, however, found 18,000 insecure Redis implementations online, and discovered evidence of attacks against 13,000. While not each one was compromised, Duo Labs’ Jordan Wright said, there is potential for the problem to grow.
The Fairware attacks, meanwhile, were reported in posts to the forums at BleepingComputer independently of Duo Labs’ research. In both cases, attackers were deleting web folders on the servers and leaving behind a link to a Pastebin site hosting a ransom note.
Comparisons between a number of the notes and other artifacts, such as IP addresses and SSH keys used by the attackers, are enough evidence to connect the attacks, researchers at Duo Labs and BleepingComputer said.
The ransom note adds urgency for the victims. One note obtained by Duo Labs says the files have been encrypted and demands two Bitcoin for the private decryption key. Other samples of the note posted to BleepingComputer say the servers are infected with Fairware ransomware and make a similar two Bitcoin demand or the files will be leaked online. The attackers, however, insist that victims do not contact them about verifying the attack or possession of the deleted or encrypted files.
In neither case, however, is there evidence of any crypto-ransomware left behind on the machine. The attackers were able, instead, to hack the Linux servers through the exposed Redis instances. Initially, some of the victims believed the attackers were able to access the servers by brute-forcing their SSH keys.
“I think the brute force aspect was a misdiagnosis,” Wright said. “The victims saw SSH showing the attacker logging in and assumed that was it. But they were exploiting different software in Redis and getting in, no brute force required.”
Duo Labs set up a honeypot and observed instead that the attackers were carrying out a “clever” attack, Wright said.
The problem begins with the exposure of Redis instances to the Internet. Clients generally connect to these instances and are able to issue commands to GET and SET data, retrieve system information or make configuration changes remotely. Doing a Shodan search, Duo Labs learned that the majority of connected Redis instances are running on outdated versions of the software; newer versions include a protected mode that shuts down this attack vector.
Since instances can be reconfigured remotely, attackers were able to configure Redis to store a key/value on the disk in the root folder pointing to their public SSH key allowing them to log into Redis as a root user.
Duo Labs said it found a key called “crackit” on most of the infected hosts that contained the same public SSH key. BleepingComputer’s Lawrence Abrams told Threatpost that he confirmed with a number of victims that they were seeing the same “crackit” SSH key and IP addresses involved in the attacks. Duo said it observed attacks from 15 IP addresses. Wright said another key called “qwe” was on close to 4,000 instances.
“We believe this was set by a separate actor who was downloading and executing DDoS malware,” Wright said. “At this point, whenever you compromise a Redis instance this way (adding an SSH key to gain root access), the box is fully compromised. They can just SSH in, and totally compromise the device. It’s never good when something so simple is automated in this way. It’s game over.”
Victims, meanwhile, are encouraged not to pay the ransom since this is likely a scam and the files have been deleted. Researchers said they did not see evidence the files were encrypted nor backed up.
“The big thing is Redis is out there on the internet, not being upgraded and deployed insecurely,” Wright said. “I’ll be interested if we see more of these ‘ransomware’ attacks where files are deleted rather than encrypted.”