>
More than a thousand Redis servers have been infected by a custom malware called HeadCrab, researchers report.
The malware created the endpoints (opens in new tab) my Monero, a privacy-focused cryptocurrency and hacker favorite.
Cybersecurity from Aqua Security’s Nautilus discovered a botnet of 1,200 Redis servers, which had been infected in the past year and a half. The servers were located in the US, UK, Germany, India, Malaysia, China and other countries, and apart from being Redis servers, they have no other links.
Authentication is off by default
“The victims appear to have little in common, but the attacker appears to be primarily targeting Redis servers and has a deep understanding and expertise in Redis modules and APIs, as evidenced by the malware,” said researchers Asaf Eitani and Nitzan Yaakov.
It turns out that open-source Redis database servers have authentication disabled by default, allowing threat actors to access them and run code remotely, without needing to authenticate as a user. Apparently, many Redis users forgot to enable the authentication feature, exposing their endpoints to attackers.
In addition, Redis clusters use master and slave servers for data replication and synchronization, allowing the attackers to use the standard SLAVEOF command and set the target endpoint as a slave to a Redis server they already control. That allows them to deploy the HeadCrab malware.
The researchers don’t know who is hiding behind the campaign, but looking at their cryptocurrency wallets, they conclude they make about $4,500 per infected device per year.
“We noticed that the attacker went to great lengths to ensure the stealth of their attack,” the researchers added.
Monero is perhaps the most popular cryptocurrency among cryptojacking hackers. Over the years, there have been numerous reports of criminals deploying XMRig, a popular Monero miner, to servers and data centers around the world, incurring victims with huge electricity bills while rendering their servers virtually useless.
Through: The register (opens in new tab)