Researchers have disclosed a new peer-to-peer (P2P) worm called P2P Infect that actively targets vulnerable Redis servers for exploitation.
Researchers have disclosed a new peer-to-peer (P2P) worm called P2PInfect that actively targets vulnerable Redis servers for exploitation.
Palo Alto Networks Unit 42 researchers discovered "P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems, making it more scalable and potent than other worms," It's written in the increasingly popular Rust programming language, which makes it cloud-friendly and more capable of spreading across multiple operating systems.
P2PInfect, first detected by Unit 42 on 11 July, also found that it hacks into Redis servers that have been left vulnerable to the maximum severity CVE-2022-0543 Lua sandbox escape vulnerability. More than 307,000 Redis systems in public communication, but it's estimated that only 934 unique Redis systems are potentially vulnerable to the threat.
"Unit 42 believes this P2PInfect campaign is the first stage of a potentially more capable attack that leverages this robust P2P command and control (C2) network." However, the threat group's end goal still needs to be clarified. There are points where the term "miner" is found in the worm's toolkit, but there's no evidence that the malware has been used in crypto-mining campaigns.
Successful exploitation allows the malware to gain remote code execution capabilities on compromised devices. Following its deployment, the P2PInfect worm installs a first malicious payload, creating a peer-to-peer (P2P) communication channel to a larger P2P network of other infected devices used for auto-propagation and fetch additional malicious binaries, including scanning software for propagating the malware to other exposed Redis and SSH hosts.
"The infected instance then joins the P2P network to provide access to the other payloads to future compromised Redis instances," the researchers said.
Many threat actors have targeted Redis servers over the years, most of them being added to DDoS and cryptojacking botnets. The CVE-2022-0543 exploits have been used for initial access by other botnets targeting Redis instances, including Muhstik and Redigo, for various malicious purposes, including DDoS and brute-forcing attacks.
As many instances are exposed online, many Redis server admins may need to know that Redis lacks a secure-by-default configuration. The researchers added that exploiting in this way makes the P2PInfect worm more effective at operating and propagating in cloud container environments. Experts advise monitoring Redis apps on-premises and in the cloud to ensure no random filenames; they also urged keeping all the Redis instances updated with the latest versions, which will help mitigate this worm.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?