Cybersecurity researchers have discovered a new cloud targeting, so-called peer-to-peer (P2P) worm. P2PInfect which targets vulnerable Redis instances for advanced exploitation.
“P2PInfect exploits Redis server running on Linux and Windows Operating Systems making it more scalable and robust than other worms,” Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. “This worm is also written in Rust, a highly scalable and cloud-friendly programming language.”
It is estimated that as many as 934 unique Redis systems may be vulnerable to the threat. The first known instance of P2PInfect was detected on July 11, 2023.
An important characteristic of this worm is its ability to infect vulnerable Redis instances by exploiting a critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), which has previously been harnessed to produce many malware family like Muhstik, Redigo, and HeadCrab over the past year.
Early access provided by successful exploits is then leveraged to send dropper payloads that establish peer-to-peer (P2P) communications to the larger P2P network and retrieve additional malicious binaries, including scanning software to spread malware to other exposed Redis and SSH hosts.
“The infected instance then joins the P2P network to provide access to other payloads to the compromised Redis instance in the future,” the researchers said.
The malware also uses PowerShell scripts to establish and maintain communication between the compromised host and the P2P network, offering threat actors continuous access. What’s more, the Windows version of P2PInfect incorporates a Monitor component to update itself and launch new versions.
It wasn’t immediately clear what the ultimate goal of this campaign would be, with Unit 42 noting that there was no conclusive evidence of cryptojacking despite the word “miner” in the toolkit’s source code.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
The activity has not been linked to a group of threat actors known for carrying out strikes cloud environment such as Adept Libra (aka TeamTNT), Aged Libra (aka Rocke), Automatic Libra (aka PURPLEURCHIN), Money Libra (aka Kinsing), Returned Libra (aka 8220 Gang), or Libra Thief (aka WatchDog).
Development comes as misconfigured and vulnerable cloud assets discovered within minutes by bad actors constantly scanning the internet to carry out sophisticated attacks.
“The P2PInfect worm appears to be well designed with several modern development options,” the researchers said. “The design and building of P2P networks for the automatic propagation of malware is not something commonly seen in the cloud targeting or cryptojacking threat landscape.”