uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

P2PInfect worm has been discovered that targets Redis servers on Linux

Peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for further exploitation has been discovered by cybersecurity researchers.

P2PInfect is more scalable and powerful than other worms, according to researchers William Gamazo and Nathaniel Quist from Palo Alto Networks Unit 42.
It exploits Redis servers that are running on both Linux and Windows operating systems. The programming language Rust, which is very scalable and cloud-friendly, is also used to create this worm. ".

Up to 934 different Redis systems are thought to be at risk from the danger. On July 11, 2023, P2PInfect was discovered for the first time.

The worm has the ability to spread to vulnerable Redis instances by using the critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), which has been used in the past year to spread malware families like Muhstik, Redigo, and HeadCrab.

The initial access made possible by a successful exploit is then used to deliver a dropper payload that creates peer-to-peer (P2P) communication with a larger P2P network and fetches additional malicious binaries, including scanning software for spreading the malware to other exposed Redis and SSH hosts.

The infected instance then joins the P2P network to give future compromised Redis instances access to the other payloads, according to the researchers.

Worm P2PInfect.
In order to establish and maintain communication between the compromised host and the P2P network and give threat actors persistent access, the malware also makes use of a PowerShell script. Additionally, P2PInfect for Windows includes a Monitor component that enables self-updating and launching of the new version.

Although the word "miner" appears in the toolkit's source code and the campaign has not yet been identified, Unit 42 notes that there is no concrete proof of cryptojacking.

No known threat actor groups, such as Adept Libra (aka TeamTNT), Aged Libra (aka Rocke), Automated Libra (aka PURPLEURCHIN), Money Libra (aka Kinsing), Returned Libra (aka 8220 Gang), or Thief Libra (aka WatchDog), have been linked to the activity.

The development comes as malicious actors constantly scanning the internet for misconfigured and vulnerable cloud assets are finding them within minutes to launch sophisticated attacks.

The researchers claimed that the P2PInfect worm "appears to be well designed with several modern development choices.". "The design and construction of a P2P network to carry out malware auto-propagation is not something commonly seen within the cloud targeting or cryptojacking threat landscape. ".