Headline
P2PInfect: Self-Replicating Worm Hits Redis Instances
By Waqas Known as ‘P2PInfect,’ the worm exploits a critical vulnerability to infiltrate Redis instances and assimilates them into a larger P2P network, enabling it to spread rapidly. This is a post from HackRead.com Read the original post: P2PInfect: Self-Replicating Worm Hits Redis Instances
The worm exploits a sandbox escape vulnerability in the Lua Library, which has received a maximum severity score of 10.0 on the CVSSv3 severity scale.
Security experts have issued a warning about a highly sophisticated peer-to-peer (P2P) worm, written in Rust, that is specifically targeting instances of the popular open-source database software Redis.
Known as ‘P2PInfect,’ the worm exploits a critical vulnerability to infiltrate Redis instances and assimilates them into a larger P2P network, enabling it to spread rapidly.
Researchers from Unit 42, Palo Alto Networks’ cloud research team, identified the worm and named it after a term found in leaked symbols within its code. The worm exploits CVE-2022-0543, a sandbox escape vulnerability in the Lua Library, which has received a maximum severity score of 10.0 on the CVSSv3 severity scale, indicating its significant threat potential.
Screenshot shared by researchers shows P2PInfect appears in the leaked symbols
P2PInfect establishes its foothold in cloud container environments, making it stand out from other worms targeting Redis, such as the cryptojacking malware operated by Adept Libra (aka TeamTnT), Thief Libra (aka WatchDog).
Once inside a Redis instance, the worm executes a Powershell script that alters local firewall settings, preventing the infected Redis instance from being accessed by legitimate owners while granting the worm operators unrestricted access.
One of the worm’s sophisticated techniques for persistence involves a process named ‘Monitor,’ stored in the Temp folder within a user’s AppData directory. This process downloads multiple randomly named P2PInfect executables alongside an encrypted configuration file, ensuring its long-term presence on infected systems.
Researchers have observed that the worm establishes a P2P connection via port 60100 to a large command and control (C2) botnet. While samples downloaded from the C2 include files labelled ‘miner’ and ‘winminer,’ there is no evidence yet of P2PInfect engaging in cryptomining using infected instances.
Experts speculate that the worm might be laying the groundwork for future campaigns, potentially involving mining activities using the botnet.
According to Unit 42’s blog post, the company discovered P2PInfect on July 11th using its HoneyCloud platform, a diverse array of honeypots designed to attract and analyze public cloud threats. The worm’s rapid spread has been noted, with 934 out of 307,000 publicly-communicating Redis instances identified as vulnerable.
The unique use of Rust programming language by P2PInfect raises concerns among cybersecurity experts, as many ransomware groups have also shifted to Rust due to benefits such as faster encryption and evading common detection methods.
As the threat landscape continues to evolve, researchers are closely monitoring the worm’s behaviour, including the possibility of new behaviours and features being added to P2PInfect in the future.
While Rust offers numerous advantages beyond its use in malware, its adoption in sophisticated worms like P2PInfect highlights the importance of constant vigilance and proactive security measures in the face of ever-evolving cyber threats. Organizations and individuals are urged to update their Redis instances and implement robust cybersecurity practices to safeguard against potential attacks.
In the wake of this discovery, the cybersecurity community must remain vigilant and proactive in safeguarding critical systems and data against emerging threats like P2PInfect and other advanced malware strains.
- 10 Application Security Best Practices To Follow
- Thousands of GitHub Repositories Cloned in Supply Chain Attack
- VirusTotal Data Leak Exposes User Info, Including Intel Agencies’ Data
- Threat actors hijacking Bitbucket and Docker Hub for Monero mining
- LemonDuck Cryptomining Botnet Hunting for Misconfigured Docker APIs
I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism
Related news
Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect that's capable of targeting routers and IoT devices. The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, broadening its capabilities and reach. "It's highly likely that by targeting MIPS, the P2PInfect developers
The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet. "The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News. "A common attack
Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation. "P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. "This
At least 1,200 Redis database servers worldwide have been corralled into a botnet using an "elusive and severe threat" dubbed HeadCrab since early September 2021. "This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers," Aqua security researcher Asaf Eitani
A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network. The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy Redigo, according to cloud security firm Aqua.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.