Earlier this month, security researchers discovered a new peer-to-peer (P2P) malware with self-spreading capabilities that targets Redis instances running on Internet-exposed Windows and Linux systems.
The Unit 42 researchers who spotted the Rust-based worm (named P2PInfect) on July 11 also found that it hacks into Redis servers that have been left vulnerable to the maximum severity CVE-2022-0543 Lua sandbox escape vulnerability.
While over Internet-exposed 307,000 Redis servers have been discovered in the last two weeks, only 934 instances are potentially vulnerable to this malware’s attacks, according to the researchers.
However, even if not all are susceptible to infection, the worm will still target and try to compromise them.
“We have caught several samples within our HoneyCloud platform, across multiple geographic regions, and we strongly believe the number of P2P nodes is growing,” the researchers said.
“This is due to the volume of potential targets – over 307,000 Redis instances communicating publicly over the last two weeks – and since the worm was able to compromise multiple of our Redis honeypots across disparate regions. However, we don’t have an estimate yet of how many nodes exist or how fast the malicious network associated with P2PInfect is growing.”
Targets set on cloud container environments
Successful exploitation of the CVE-2022-0543 flaw allows the malware to gain remote code execution capabilities on compromised devices.
Following its deployment, the P2PInfect worm installs a first malicious payload, creating a peer-to-peer (P2P) communication channel within a broader interconnected system.
After it connects to the P2P network of other infected devices used for auto-propagation, the worm downloads additional malicious binaries, including scanning tools to find other exposed Redis servers.
“Exploiting CVE-2022-0543 in this way makes the P2PInfect worm more effective at operating and propagating in cloud container environments,” the researchers added.
“Unit 42 believes this P2PInfect campaign is the first stage of a potentially more capable attack that leverages this robust P2P command and control (C2) network.”
Redis servers have been targeted by many threat actors over the years, most of them being added to DDoS and cryptojacking botnets.
For instance, CVE-2022-0543 exploits have been used for initial access by other botnets targeting Redis instances, including Muhstik and Redigo, for various malicious purposes, including DDoS and brute-forcing attacks.
In March 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal civilian agencies to patch this critical Redis vulnerability after it was added to the spreader exploit used by the Muhstik malware gang.
Unfortunately, based on the large number of instances exposed online, many Redis server admins may not be aware that Redis lacks a secure-by-default configuration.
According to the official documentation, Redis servers are designed for closed IT networks, and thus, they do not come with an access control mechanism enabled by default.
Update July 20, 13:36 EDT: Redis sent the following statement after the article was published.
As the world’s most popular in-memory database, it’s no surprise that Redis installations are frequently the target of threat actors, and we are glad to see cybersecurity researchers actively working to find these bad actors. We’ve previously seen other malware created to take advantage of CVE-2022-0543, a vulnerability created by how certain versions of Debian Linux package the Lua engine for open source Redis. Redis Enterprise software bundles a hardened version of the Lua module which is not susceptible to this vulnerability. As such, customers running Redis Enterprise licensed software are not at risk from CVE-2022-0543 and P2PInfect. Users of open source Redis are encouraged to use official distributions available directly from redis.io. — Redis
Source: https://www.bleepingcomputer.com/news/security/new-p2pinfect-worm-malware-targets-linux-and-windows-redis-servers/
