The recent Fairware attacks have baffled many Linux server admins who were relying on antivirus and other anti-malware software. Fairware attacks, reported over a couple of weeks ago, resulted in the disappearance of the Linux server’s web folder and websites stopping working indefinitely. Researchers now have traced these attacks to insecure Redis installations.
Well, Redis is an open source tool or data structure server and has proved useful to developers, especially because it helps them do quick caching of data.
Here’s what the Redis website tells about Redis- “Redis is an open source (BSD licensed), in-memory data structure store, used as database, cache and message broker. It supports data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs and geospatial indexes with radius queries. Redis has built-in replication, Lua scripting, LRU eviction, transactions and different levels of on-disk persistence, and provides high availability via Redis Sentinel and automatic partitioning with Redis Cluster.You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing an element to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set.”
The Redis-Fairware connection!
Well, the developers behind Redis would want Redis to be accessed only by trusted clients inside trusted environments. They hold that Redis is not meant to be exposed to the internet.
Meanwhile as many as 18,000 insecure Redis implementations have been detected online. Researchers have also found evidence of attacks against 13,000. Of course, all of these have not been compromised, but the problem could grow, as per researchers, and cause further issues.
As for the Fairware attacks, these were reported independently in posts to BleepingComputer forums. These had nothing to do with the research on Redis implementations and their security issues. But, in both these instances, attackers deleted web folders on servers and left behind a link to a Pastebin page hosting a ransom note. Moreover, on comparing things like the nature of ransom notes (demanding two Bitcoin for the safe return of the files) , IP addresses, SSH keys used by attackers etc, it has been inferred that these two are inter-connected. There are no proofs of crypto-ransomware being left behind, in either of these instances and the hack could have happened through the insecure Redis instances. The belief, by one of the hack victims, that the intrusions were most likely powered by brute-force attacks against SSH, is now seen as a misdiagnosis. This perhaps happened because that particular victim saw SSH showing the attacker logging in and that led to the assumption that it was a case of brute-force attack against SSH.
Redis is exposed to the internet as clients connect to these instances to GET and SET data, make configuration changes remotely etc. But as per analysis reports, most of these connected Redis instances run on outdated versions of the software whereas newer versions would shut down the attack vector since they include a protected mode. Attackers were able to log into Redis as root users. This they did by remotely configuring Redis to store a key/value on the disk in the root folder pointing to their public SSH key. This would enable the log in. The presence of a key called ‘Crackit’ in both the cases- the Redis attacks and the Fairware attacks- also establishes the connection.
On the one hand victims are advised by experts not to pay the ransom as it could most likely be a scam. But at the same time, researchers think that since Redis is out there on the internet and is being deployed insecurely, there could be more such attacks.