Researchers have discovered that insecure installations of the popular open source Redis in-memory cache application are being abused in their thousands for fake ransomware attacks on Linux servers.
A recent wave of attacks first reported on anti-malware forum Bleeping Computer detailed what was first thought to be ransomware, called Fairware, which saw web folders deleted on Linux servers.
The attackers are demanding a two Bitcoin (A$1515) ransom "within 2 weeks from now to retrieve your files and prevent them from being leaked". However, in no case was any ransomware left on the hacked computers.
Researchers at Duo Labs and Bleeping Computer operator Lawrence Abrams were later able to connect the attacks to insecure web-facing Redis instances which can be abused to hack Linux servers.
The open source cache app is designed to be accessed by trusted clients inside trusted environments, and the developers suggest that "this means that usually it is not a good idea to expose the Redis instance directly to the internet".
Duo Labs said if Redis instances are connected directly to the internet, hackers can not only view and modify the stored data, they can also remotely reconfigure the application and take full control of the device. No password or other login credentials are required.
A secure shell remote management software key called "crackit" was found on the compromised Linux servers. Duo Labs found that the attack is performed by sending a CONFIG command to the Redis instance, with the hackers deleting existing credentials and adding their own SSH key to enable them to log in remotely to the server with root superuser privileges.
Duo Labs set up a honeypot Linux server that exposed a vulnerable version of Redis to the internet.
An attack took place, with an unknown hacker deleting web server folders and the server database on the compromised host, and leaving a "ransom note" saying the folders and files had been encrypted. They demanded two Bitcoin to restore them.
The problem is widespread, Duo Labs said, with over 18,000 insecure, outdated Redis installations found via the Shodan.io vulnerability scanner. Some 13,000 insecure hosts showed evidence of compromise, Duo Labs said.
Duo Labs suggested Redis users disable the CONFIG command if it isn't needed, and set up a complex password for all connections to the app to prevent abuse.
The updated version 3.2.0 of Redis offers a protected mode feature that stops the app from being deployed with an insecure, password-less configuration.