Posted on July 20, 2023 at 4:50 PM

New P2pinfect Worm Malware Targets Redis Instances On Linux And Windows Servers

Cybersecurity researchers have detected a new peer-to-peer (P2P) malware that contains self-spreading capabilities. The malware is used to target the Redis instances that are running on Linux and Windows systems that are exposed to the internet. The malware poses a significant risk to these systems.

New P2PInfect malware targets Linux and Windows servers

The researchers from Unit 42 detected the Rust-based worm that is named P2PInfect on July 11. These researchers also detected that the worm malware is used to conduct hacking campaigns targeting Redis servers that are vulnerable to attacks.

The worm malware is being used to conduct hacking campaigns that exploit the vulnerability tracked as CVE-2022-0543. This flaw is also known as the Lua sandbox escape. The flaw poses a major risk to the targeted system, given that researchers estimate that the hacks have a wide reach.

Over the last two weeks, researchers have detected 307,000 Redis servers that are exposed to the internet. However, despite the high number of discovered servers, there are only 934 instances that are potentially vulnerable to malicious attacks being done using this malware, according to cybersecurity researchers.

Additionally, not all servers will be prone to infection by malicious actors. Nevertheless, the worm malware will still target these servers in an attempt to compromise them. The researchers noted that they had gathered several samples within the HoneyCloud platform showing the threat continued to grow.

The researchers said that the samples that they had uncovered came from different geographic regions. As such, the researchers believed that the number of P2P nodes continued to grow.

They attributed the growth to the volume of the potential targets. They also said that they did not have an estimate on the number of nodes that are currently in existence or the speed at which the attack threshold is growing.

“This is due to the volume of potential targets – over 307,000 Redis instances communicating publicly over the last two weeks – and since the worm was able to compromise multiple of our Redis honeypots across disparate regions. However, we don’t have an estimate yet of how many nodes exist or how fast the malicious network associated with P2PInfect is growing,” the security researchers said.

The flaw targets cloud container ecosystems

If the CVE-2022-0543 flaw is successfully exploited, it will allow the malware to have access to the remote code execution capabilities of the affected devices. Once this vulnerability has been deployed, the P2PInfect worm will install the first malicious payload that will compromise the targeted device.

The malicious payload will trigger a peer-to-peer communication channel that will run within the larger interconnected system. Afterward, the payload will be connected to the P2P network of the infected device that is used to conduct auto-propagation.

The worm will later download the additional malicious binaries, which include the scanning tools that are used to locate the other Redis servers that are exposed to exploits. The researchers noted that the method of exploitation used will ensure that the P2PInfect worm is more effective.

The attack technique will allow the P2PInfect worm malware to operate and propagate better in cloud environments. The researchers also said that there was a possibility that the P2PInfect campaign was the initial stage in launching an attack that was more capable of causing damage.

The P2PInfect campaign will leverage the robust P2P command and control (C2) network to run these campaigns. Redis servers have previously been targeted by hacker groups in recent years. The majority of these servers have been included in the DDoS and cryptojacking botnets that deliver a high traffic volume.

The CVE-2022-0543 vulnerability has also been used to obtain initial access to the other botnets that are targeting the Redis instances. The botnets that have launched this campaign in the past include Muhstik and Redigo, which are increasingly being used for different malicious intentions. The botnets are also being used to run DDOS campaigns and brute-forcing attacks.

In March last year, a report by the US Cybersecurity and Infrastructure Security Agency (CISA) required that federal civilian agencies patch a critical Redis flaw. This happened after the flaw was added to the spreader exploit that is used by the Muhstik malware group. 

However, a large number of instances have been exposed online, resulting in many Redis server admins not being aware of the server lacking a secure-by-default configuration. An official documentation on the exploits shows that the Redis servers target closed IT networks, and they do not have an access control mechanism that is available by default.