P2P Worm Attacking 307,000 Redis Instances on Linux and Windows Systems

P2PInfect is a novel P2P worm that’s actively targeting the Redis servers on Linux and Windows OS, making it extremely scalable and extremely efficient as compared with others.

Whereas now no longer all Redis instances are susceptible, they ought to mute predict compromise makes an are attempting from this unique P2P worm variant.

Palo Alto Networks Unit 42 researchers chanced on this unique sinful-platform, Rust-primarily based mostly mostly P2P worm that’s actively targeting Redis, in particular the cloud containers.

Flaw Exploited

Whereas the P2PInfect P2P worm targets the Redis instances the usage of CVE-2022-0543 vulnerability. Unit 42 chanced on more than 307,000 Redis programs in public communication, with 934 per chance at threat of this P2P worm.

CVE-2022-0543, a Lua sandbox speed vulnerability disclosed in 2022, has a Serious CVSS procure of 10.0. Its full scope is unknown, but P2PInfect exploits Redis on Linux and Windows, increasing its strength.

P2PInfect uses CVE-2022-0543 for entry and fashions up P2P communication to a greater community. It fetches more malicious binaries (scripts, scanning tools), becoming a member of the P2P community to infect future Redis servers.

Unit 42 suspects P2PInfect is an initial stage of a potent attack with a sturdy P2P C2 community, as the toolkit mentions “miner,” but no cryptomining proof changed into chanced on.

Whereas apart from this, the “Auto-updating” mode of the community lets in the pushing of unique payloads to increase malicious operations.

The vulnerability changed into exploited in past assaults (Muhstik, Redigo), inflicting DoS and brute-forcing. P2PInfect follows a an identical sample but differs significantly in put up-exploit operations.

Self-replicating P2P Worm

On July 11, 2023, Unit 42 chanced on the initial P2PInfect event via HoneyCloud, their cloud-primarily based mostly mostly honeypot detecting map.

Rather than this, for transmitting binaries that are malicious the P2PInfect makes use of a P2P community and it also named them after the mission structure symbol of the creator.

Artifacts of the Windows version, names and Redis module (Source – Unit42)

P2PInfect exploits CVE-2022-0543, establishing P2P communication for handing over payloads in cloud containers. It adapts to container environments, covering susceptible instances, no longer like worms the usage of cron services for RCE.

Technical Analysis

In Windows, P2PInfect has a Show screen course of (in C:CustomersusernameAppDataNativeTempcmd.exe) that ensures its running performance on the infected host.

Once initiated, the Show screen (cmd.exe) of P2PInfect downloads unique versions from the P2P community, persisting them with random names in the distinctive folder, and drops an encrypted configuration (.conf).

Bound initial payload P2PInfect samples had been UPX-packed, whereas the 2d-stage malware (miner and winminer) had been now no longer UPX-packed.

Consultants expose monitoring Redis apps in on-premises and the cloud, ensuring no random filenames in /tmp. DevOps ought to continually supervise instances for legitimate operations and community procure admission to.

Furthermore, in addition they urged to take care of the total Redis instances as a lot as this level with the readily available most modern versions, that would possibly well well support in mitigating this worm.