Security
Headlines
HeadlinesLatestCVEs

Headline

New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods

The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet. “The malware compromises exposed instances of the Redis data store by exploiting the replication feature,” Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News. "A common attack

The Hacker News
#vulnerability#web#windows#linux#redis#botnet#ssh#The Hacker News

The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet.

“The malware compromises exposed instances of the Redis data store by exploiting the replication feature,” Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News.

“A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command.”

The Rust-based malware was first documented by Palo Alto Networks Unit 42, calling out the malware’s ability to exploit a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to obtain a foothold into Redis instances. The campaign is believed to have commenced on or after June 29, 2023.

However, the latest discovery suggests that the threat actors behind the campaign are leveraging multiple exploits for initial access.

This is not the first time the SLAVEOF command has been abused in the wild. Previously, threat actors associated with malware families such as H2Miner and HeadCrab have abused the attack technique to illicitly mine cryptocurrency on compromised hosts.

In doing so, the goal is to replicate a malicious instance and load a malicious module to activate the infection.

Another initial access vector entails the registration of a malicious cron job on the Redis host to download the malware from a remote server upon execution, a method previously observed in attacks mounted by the WatchDog cryptojacking group.

A successful breach is followed by the distribution of next-stage payloads that allow the malware to alter iptables firewall rules at will, upgrade itself, and potentially deploy cryptocurrency miners at a later date once the botnet has grown to a specific size.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

“The P2Pinfect malware makes use of a peer-to-peer botnet,” the researchers said. “Each infected server is treated as a node, which then connects to other infected servers. This allows the entire botnet to gossip with each other without using a centralized C2 server.”

A notable trait of the botnet is its worming behavior, enabling it to expand its reach by using a list of passwords to brute-force SSH servers and attempting to exploit the Lua sandbox escape vulnerability or use the SLAVEOF command in the case of Redis servers.

“P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2,” the researchers concluded. “The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code), while also making static analysis of the code significantly harder.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices

Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect that's capable of targeting routers and IoT devices. The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, broadening its capabilities and reach. "It's highly likely that by targeting MIPS, the P2PInfect developers

P2PInfect: Self-Replicating Worm Hits Redis Instances

By Waqas Known as 'P2PInfect,' the worm exploits a critical vulnerability to infiltrate Redis instances and assimilates them into a larger P2P network, enabling it to spread rapidly. This is a post from HackRead.com Read the original post: P2PInfect: Self-Replicating Worm Hits Redis Instances

New P2PInfect Worm Targeting Redis Servers on Linux and Windows Systems

Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation. "P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. "This

New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers

At least 1,200 Redis database servers worldwide have been corralled into a botnet using an "elusive and severe threat" dubbed HeadCrab since early September 2021. "This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers," Aqua security researcher Asaf Eitani

Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers

A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network. The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy Redigo, according to cloud security firm Aqua.

CVE-2022-0543: #1005787 - redis: CVE-2022-0543 - Debian Bug report logs

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.