An unknown attacker targeted tens of thousands of unauthenticated Redis servers exposed on the internet in an attempt to install a cryptocurrency miner.
It’s not immediately known if all of these hosts were successfully compromised. Nonetheless, it was made possible by means of a “lesser-known technique” designed to trick the servers into writing data to arbitrary files – a case of unauthorized access that was first documented in September 2018.
“The general idea behind this exploitation technique is to configure Redis to write its file-based database to a directory containing some method to authorize a user (like adding a key to ‘.ssh/authorized_keys’), or start a process (like adding a script to ‘/etc/cron.d’),” Censys said in a new write-up.
The attack surface management platform said it uncovered evidence (i.e., Redis commands) indicating efforts on part of the attacker to store malicious crontab entries into the file “/var/spool/cron/root,” resulting in the execution of a shell script hosted on a remote server.
images from Hacker News