At least 1,200 Redis database servers worldwide have been compromised by a sophisticated piece of malware since September 2021, while more than 2,800 uninfected servers remain at high risk of exploitation.
Discovered by Asaf Eitnai and Nitzan Yaakov, the Aqua Nautilus security researchers posted on the company’s blog that the malware, which they’re calling “HeadCrab,” was meticulously built by attackers and is undetectable using agentless and conventional anti-virus solutions.
"The attackers seem to mainly target Redis servers and have a deep understanding and expertise in Redis modules and APIs as demonstrated by the malware," the post read.
Specifically, researchers found that the malware has been designed to evade volume-based scans by running solely in memory without being stored on disk. Also, logs are deleted using the Redis module framework and API. The attacker primarily communicates with legitimate IP addresses to further bypass detection.
In addition to 1,200 infected Redis servers detected, Aqua threat lead analyst Assaf Morag told SC Media that an additional 2,800 servers, if not 43,000 servers, are also at risk of exploitation.
"That said, this is a serious threat that needs to be monitored and addressed," Morag warned.
While the ultimate purpose of the malware is to build a botnet for cryptocurrency mining, Eitnai added that it has the capability to perform many other malicious activities, allowing attackers to execute shell commands, load fileless kernel modules, and exfiltrate data to remote servers,he said the team also speculated that the attacker used SSH capabilities to infect other servers.
Redis is an open-source, in-memory data structure store that can be used as a database, cache or message broker. By default, it is not authenticated and should be run in a closed and secure network. However, when users install it improperly, it is exposed to the internet and targeted by threat actors.
Redis servers have suffered several attacks in recent years as they have become more popular within the community. In December last year, Aqua researchers discovered a stealthy backdoor malware targeting the servers. And earlier in 2020, TeamTNT was found to conduct novel attacks against vulnerable Redis servers using S3 buckets and the web service IPlogger as their C2 servers.