By David Fiser (Security Researcher)
We discovered 8,000 Redis instances that are running unsecured in different parts of the world, even ones deployed in public clouds. These Redis instances have been found without Transport Layer Security (TLS) encryption and are not password protected. Redis, according to its developers, is originally intended to be used only in trusted environments. However, when left unsecured and allowed to be internet-facing or integrated into internet of things (IoT) devices, cybercriminals can find and abuse Redis servers to launch attacks such as SQL injections, cross-site scripting, malicious file uploads, and even remote code execution, among others. Threat actors can also view, access, and modify stored data in exposed Redis instances. In a previous case, a fake ransomware called Fairware targeted 18,000 unsecured Redis instances on hacked Linux servers.
We’ve reached out to Redis and they’ve shared that Redis has a protected mode configuration, which has been available since Redis 4.0 version and was released in July 2017. This special configuration was also backported to an earlier version, Redis 3.2.0. The protected mode kicks in when Redis is executed with the default configuration without any password protection. In this special mode, Redis will only reply to queries from the loopback interfaces and an error message is sent to other clients attempting to connect to Redis from other IP addresses. This is an extra protective measure that aims to lessen the chances of unsecured Redis instances being accessed from external networks. Redis cautions, however, that despite the error messages being sent in the protected mode, system administrators can still ignore these messages, manually bind all of the inte ..
Support the originator by clicking the read the rest link below.
