More than a thousand Redis servers have been infected with custom malware called HeadCrab, according to researchers.
Malware created endpoints (opens in a new tab) mine Monero, a privacy-oriented cryptocurrency and a favorite of hackers.
Aqua Security’s Nautilus cybersecurity discovered a botnet of 1,200 Redis servers that had been infected over the past year and a half. The servers were located in the US, UK, Germany, India, Malaysia, China and elsewhere, and other than being Redis servers, they have no other links.
Authentication disabled by default
“The victims appear to have little in common, but the attacker seems to be targeting Redis servers mainly, and has a deep understanding and expertise in Redis modules and APIs, as evidenced by the malware,” said researchers Asaf Eitani and Nitzan Yaakov.
As it turns out, open source Redis database servers have authentication disabled by default, allowing cybercriminals to access them and execute code remotely without having to authenticate as a user. Apparently, many Redis users forgot to enable the authentication feature, exposing their endpoints to attacks.
Moreover, Redis clusters use master and slave servers to replicate and synchronize data, allowing attackers to use the default SLAVEOF command and set the target endpoint as slave to a Redis server they already control. This allows them to deploy the HeadCrab malware.
The researchers do not know who is behind the campaign, but looking at their cryptocurrency wallets, they deduce that they bring in around $4,500 per infected device per year.
“We noticed that the attacker went to great lengths to ensure that his attack was concealed,” the researchers added.
Monero is probably the most popular cryptocurrency among cryptojacking hackers. Over the years, there have been countless reports of criminals deploying XMRig, the popular Monero miner, on servers and data centers around the world, charging victims huge electricity bills while rendering their servers virtually unusable.
By: Register (opens in a new tab)