New P2PInfect Malware, Self-Spreading Worm Targets Redis Instances on Internet-Exposed Systems
In a recent breakthrough, security researchers from Unit 42 have unearthed a new peer-to-peer (P2P) malware with a unique self-spreading capability. This sophisticated worm, named P2PInfect, strategically targets Redis instances running on Internet-exposed Windows and Linux systems. The discovery also revealed that the malware capitalizes on the maximum severity CVE-2022-0543 Lua sandbox escape vulnerability to hack into vulnerable Redis servers.
During their investigation, the researchers came across more than 307,000 Redis servers exposed on the Internet in the past two weeks. Among them, 934 instances were identified as potentially susceptible to P2PInfect attacks. However, the worm doesn’t discriminate and attempts to compromise any target, even if not all are vulnerable.
“We have caught several samples within our HoneyCloud platform, across multiple geographic regions, and we strongly believe the number of P2P nodes is growing,” shared the researchers. They pointed out the vast pool of potential targets and the spread of the worm across diverse regions. Nevertheless, an exact estimate of the existing nodes or the speed of growth of the malicious network linked to P2PInfect remains unknown.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Gaining Control through CVE-2022-0543 Vulnerability
Once P2PInfect successfully exploits the CVE-2022-0543 flaw, it gains remote code execution capabilities on the compromised devices. Following deployment, the malware sets up a peer-to-peer (P2P) communication channel, establishing a broader interconnected system. It then joins a P2P network with other infected devices, enabling automatic propagation, and proceeds to download additional malicious binaries, including scanning tools to locate other exposed Redis servers.
Experts assert that P2PInfect’s exploitation of the CVE-2022-0543 vulnerability grants it enhanced operation and propagation abilities, particularly in cloud container environments. The researchers believe that this campaign marks only the initial stage of a potentially more formidable attack, leveraging the robust P2P command and control (C2) network.
Redis servers have long been a target for various threat actors, often ending up in DDoS and cryptojacking botnets. In the past, CVE-2022-0543 has been exploited by botnets like Muhstik and Redigo for DDoS attacks and brute-forcing attempts.
Trending: Offensive Security Tool: Nucleimonst3r
The large number of exposed Redis instances online poses a concerning security concern, as many server admins may be unaware that Redis does not have a secure-by-default configuration. The official Redis documentation indicates that the servers are designed for closed IT networks and lack an enabled access control mechanism by default.
Redis statement
In response to the discovery, Redis issued a statement emphasizing that Redis Enterprise software is not vulnerable to CVE-2022-0543, as it uses a hardened version of the Lua module. Therefore, customers running Redis Enterprise licensed software are not at risk from P2PInfect. Open-source Redis users are urged to use official distributions available directly from redis.io to mitigate potential threats.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
