P2PInfect: A New Cross-Platform Worm Targeting Redis Server

Cybersecurity researchers have recently made a significant discovery – a new and menacing peer-to-peer (P2P) worm named P2PInfect. This highly sophisticated worm has set its sights on the cloud, specifically targeting vulnerable Redis instances. In this article, we will delve into the details of this cyber security threat, its mode of operation, potential impact, and essential cyber defense measures organizations must adopt to safeguard their systems and data.

P2PInfect worm is an advanced malware strain, employing a peer-to-peer botnet structure that makes it extremely resilient and challenging to detect. Redis servers, widely used for caching and in-memory data storage, have become the prime targets of this malicious worm. Its unique ability to exploit Redis vulnerabilities and cross-platform compatibility makes it a formidable threat.

Up to 934 distinct Redis systems are believed to be at risk from this threat, with the initial sighting of P2PInfect recorded on July 11, 2023.

The worm’s striking feature lies in its proficiency to infect vulnerable Redis instances through the exploitation of a crucial Lua sandbox escape vulnerability known as CVE-2022-0543 (CVSS score: 10.0). This particular vulnerability has been previously exploited to distribute various malware families, including Muhstik, Redigo, and HeadCrab, throughout the preceding year.

According to William Gamazo, a principal security researcher at Palo Alto Networks, “Redigo and HeadCrab” have been linked to the Redis ‘Primary/Secondary’ module synchronization attack. This attack method involves moving a compromised Redis instance from a Primary to a Secondary model, granting the attacker control over the compromised system. However, Gamazo emphasizes that this attack technique needs to be accurately associated with CVE-2022-0543.

The P2PInfect attack is directly linked to the LUA Sandbox escape mentioned in CVE-2022-0543. In this attack, the assailant exploits the LUA library to inject a remote code execution (RCE) script into the compromised host. This method bears a strong resemblance to the Muhstik exploit. Nonetheless, it is essential to note that there is no apparent connection between Muhstik and P2PInfect.

Upon successful exploitation, the initial access gained is utilized to deploy a dropper payload. This payload establishes peer-to-peer (P2P) communication within a broader P2P network, allowing the attacker to retrieve further malicious binaries. The additional payloads obtained are scanning tools designed to facilitate the malware’s spread to other vulnerable Redis and SSH hosts.

As stated by the researchers, once infected, the compromised instance becomes part of the P2P network, enabling it to grant access to other payloads for potential future compromises of Redis instances.

The malware employs a PowerShell script to establish and sustain communication between the compromised host and the P2P network, ensuring threat actors retain persistent access. Furthermore, the Windows variant of P2PInfect integrates a Monitor component, enabling it to self-update and initiate the execution of the latest version.

Given Redis’s status as the most widely used in-memory database globally, it is no surprise that threat actors often set their sights on exploiting Redis installations. The cybersecurity community is encouraged by the proactive efforts of researchers in unearthing these malicious actors. Past instances have revealed various malware designed to capitalise on CVE-2022-0543, a vulnerability stemming from how specific versions of Debian Linux package the Lua engine for open-source Redis.

Customers using Redis Enterprise software can rest assured that they are protected from this vulnerability, as it includes a fortified version of the Lua module impervious to CVE-2022-0543 and P2PInfect. However, for users of open-source Redis, employing the official distributions provided directly from redis.io is highly recommended to mitigate any potential risks.

The ultimate objective of the campaign remains unclear, as Unit 42 highlights that there is currently no conclusive evidence of crypto jacking, despite the appearance of the term “miner” in the toolkit’s source code.

However, it is strongly suspected that the malware was specifically designed to exploit numerous vulnerable Redis instances on various platforms, possibly as a preparatory phase for a more sophisticated attack that leverages this powerful peer-to-peer command-and-control (C2) network.

This activity remains unattributed to any recognized threat actor groups known for targeting cloud environments, such as Adept Libra (aka TeamTNT), Aged Libra (aka Rocke), Automated Libra (aka PURPLEURCHIN), Returned Libra (aka 8220 Gang), Money Libra (aka Kinsing), or Thief Libra (aka WatchDog).

This development arises when malicious actors relentlessly scan the internet, swiftly identifying misconfigured and vulnerable cloud assets. These exposed assets become susceptible to sophisticated attacks within minutes of discovery.

“The P2PInfect worm exhibits an impressive level of sophistication, reflecting several modern development choices,” as stated by the researchers. They further emphasized that designing and implementing a P2P network for the automatic propagation of malware is a rare occurrence within cloud-targeting or crypto jacking threats.

The emergence of the P2PInfect Worm targeting Redis servers on Linux and Windows systems underscores the evolving and persistent nature of cyber security threats. Organizations and individuals must remain vigilant, adopt proactive data security measures, and stay informed about the latest cyber security news to protect their valuable data and systems.

Ampcus Cyber offers a comprehensive suite of cybersecurity compliance and assurance services to help organizations fortify their defense against threats like the P2PInfect worm targeting Redis servers. By partnering with Ampcus Cyber, businesses can proactively address vulnerabilities, respond swiftly to cyberattacks, and foster a resilient security posture that effectively safeguards their digital assets and ensures business continuity.