From 15:06 PM on September 10, Ali Cloud officially discovered a large-scale cryptocurrency extortion event using unauthorized access vulnerability of Redis for the first time. The defense system on Ali Cloud started the whole network interception within 10 seconds after the attack started.

Unlike the previous attacks that only steal by calculating power for mining, the attackers at the beginning of the attack is to extort money as the first purpose, the attackers fearless exposure, very rampant. Deleting and encrypting data means there is no buffer zone between attackers and defenders, and the basic offensive and defensive confrontation is a barefaced bayonet fight.

Ali Cloud had issued an early warning of this high-risk vulnerability half a year ago, but many users did not modify it to take it seriously. Ali cloud security experts remind users to refer to the end of the method, as soon as possible to complete the vulnerability repair or deployment defense, once the attack is successful, the entire server program and data will be deleted! And it’s very difficult to recover.

Introduction to Redis applications

Redis is an open source, network-enabled, memory-based and persistent logging, key-value database written in ANSI C, and provides multiple language apis. As of March 15, 2010, the development of Redis is hosted by VMware. Development of Redis has been sponsored by Pivotal since May 2013.

Redis vulnerability principle

As an in-memory database, Redis can periodically configure or manually execute the save command to write cached values to disk files. If the Redis process has sufficient permissions, an attacker can exploit its unauthorized vulnerability to write scheduled tasks, SSH login keys, webshells, and so on, to execute arbitrary instructions.

Since December 2017, as this vulnerability has been widely used, many botnets, such as DDG, have taken this vulnerability as the target to rapidly multiply and occupy computing power, and each major botnet will delete each other to ensure that they can master the computing power of the machine.

Description of attack Process

● First of all, the attacker discovers these machines accessible to the public network and without password through pre-scanning

● The attacker tries to connect to these machines and runs the following code:

Through the above instruction will download the script: http://103.224.80.52/butterfly.sh and to write the script into the task planning, the planning task start execution.

Because the attacker sensed our reverse probe during analysis, the script was taken offline. But our honeypot managed to grab the script as follows:


● Attacker requires to give address:

3 jpadcornqateedoy59ktgf38gzil5kiny send 0.6 COINS, otherwise will delete the data backup within 24 hours.

● But it is clear from this script that the attacker did not make a backup at all and would not return the data even if the attacker paid.

As of 8pm on September 10, the address had received 0.6 bitcoin transfers, all of which were made today. Some of the victims had already started transferring.

Safety recommendations

● Use security groups to restrict public network access to services such as Redis

● Modify the redis.conf configuration file to add password authentication and hide important commands

● Run redis services with low permissions, etc