Does your organization have any Redis servers exposed to the internet? If so, you should disconnect them from the public and ensure Redis services are exposed to only “trusted” environments such as your internal company network.
Redis is an open source tool and in-memory data structure store, used as a database, cache and message broker.
Imperva security researchers published new research on the threat of internet-exposed Redis servers. The company used a shodan query ‘port:6379’ to discover nearly 72,000 Redis systems and then scanned them.
Although Imperva couldn’t find errors on 10K of the Redis systems, they did find most of the open systems (75%) infected with malware.
The results from the Imperva scan results include:
Imperva analyzed the scanned data to find shared keys/values (also observed in their honeypot data) and likely used by attackers or malicious bots to carry out attacks on other systems.
“Redis should not be publicly exposed as it has no default authentication and all the data is stored in clear text. We often see issues arise when people don’t read the documentation and migrate services to the cloud, without being aware of the consequences or the adequate measures that are needed to do so,” Imperva added.
Imperva also emphasized three key points from the Redis security advisory as well:
- Don’t expose your Redis systems to the internet
- Apply authentication
- Don’t store sensitive data in clear text.
The company further recommended to monitor your systems for malicious or suspicious system activity (such as high CPU utilization often a symptom of cryptomining malware) and run Redis under minimal privileges as necessary (e.g., not as root).