Pierluigi Paganini
July 31, 2023
In July, Palo Alto Networks Unit 42 researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms.
The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).
This CVE-2022-0543 vulnerability has been used in previous attacks aimed at Redis servers carried out tby by the Muhstik and Redigo botnets.
The malware exploits CVE-2022-0543 for initial access, then drops an initial payload that establishes P2P communication to the P2P network.
The researchers identified over 307,000 unique public Redis systems over the last two weeks, of which 934 may be vulnerable to this worm.
At this time it is still unclear the goal of the threat actors behind the botnet.
Now Cado Security researchers reported the discovery of a new variant of the P2PInfect worm targeting Redis servers with a previously undocumented initial access vector.
This variant exploiting the replication feature to compromises exposed instances of the Redis data store. Replication allows instances of Redis to be run in a distributed architecture, aka leader/follower topology. A follower node can act as exact replicas of the leader, this feature provides high availability and failover for the data store.
“A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command. Once replication is complete, the attacker can load a malicious module (a Linux shared object file) which extends the functionality of Redis itself.” reads the analysis published by Cado Security.
The researchers also observed P2Pinfect attempting to compromise the Redis host via the Cron unauthenticated RCE mechanism.
Once compromised a server, the attackers deliver the next-stage payloads that allow the malware to carry out malicious activities, such as modifying iptables firewall rules.
The P2Pinfect exhibits a worming behavior, the binary reads the bash_history, ssh config, and known hosts files to gather a list of users, IPs, and SSH keys, then it uses this information to attempt to infect other instances.
The bot will randomly choose a /16 network prefix to conduct scans for potentially exposed SSH and Redis servers. It will also use a list of passwords to carry out brute force attacks on any servers it encounters.
“The sample encountered by Cado researchers had similar functionality as the Windows variant analysed by Unit42. Despite this, the initial access method differed and Cado researchers did not find any evidence to suggest the malware specifically targeted cloud environments. From the information gleaned during analysis, P2Pinfect would likely run on most Linux hosts regardless of whether they were cloud-hosted or on-premise.” concludes Cado Security Labs. “Cado Security Labs concur with Unit42 findings on the subject of the miner payload.”
The report includes Indicators of Compromise (IoCs) and Yara rules for binary detection.
Follow me on Twitter: @securityaffairs Facebook and Mastodon
(SecurityAffairs – hacking, malware)
