Cybersecurity researchers have uncovered a brand new cloud focusing on, peer-to-peer (P2P) worm known as P2PInfect that targets weak Redis situations for follow-on exploitation.
“P2PInfect exploits Redis servers working on each Linux and Home windows Working Techniques making it extra scalable and potent than different worms,” Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. “This worm can also be written in Rust, a extremely scalable and cloud-friendly programming language.”
It is estimated that as many as 934 distinctive Redis techniques could also be weak to the risk. The primary recognized occasion of P2PInfect was detected on July 11, 2023.
A notable attribute of the worm is its skill to infects weak Redis situations by exploiting a essential Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS rating: 10.0), which has been beforehand exploited to ship a number of malware families equivalent to Muhstik, Redigo, and HeadCrab over the previous yr.
The preliminary entry afforded by a profitable exploitation is then leveraged to ship a dropper payload that establishes peer-to-peer (P2P) communication to a bigger P2P community and fetch extra malicious binaries, together with scanning software program for propagating the malware to different uncovered Redis and SSH hosts.
“The contaminated occasion then joins the P2P community to supply entry to the opposite payloads to future compromised Redis situations,” the researchers stated.
The malware additionally makes use of a PowerShell script to determine and preserve communication between the compromised host and the P2P community, providing risk actors persistent entry. What’s extra, the Home windows taste of P2PInfect incorporates a Monitor part to self-update and launch the brand new model.
It is not instantly recognized what the top purpose of the marketing campaign is, with Unit 42 noting that there is no such thing as a definitive proof of cryptojacking regardless of the presence of the phrase “miner” within the toolkit’s supply code.
Shield Against Insider Threats: Master SaaS Security Posture Management
Frightened about insider threats? We have you lined! Be a part of this webinar to discover sensible methods and the secrets and techniques of proactive safety with SaaS Safety Posture Administration.
The exercise has not been attributed to any recognized risk actor teams infamous for hanging cloud environments like Adept Libra (aka TeamTNT), Aged Libra (aka Rocke), Automated Libra (aka PURPLEURCHIN), Cash Libra (aka Kinsing), Returned Libra (aka 8220 Gang), or Thief Libra (aka WatchDog).
The event comes as misconfigured and vulnerable cloud assets are being found inside minutes by unhealthy actors continuously scanning the web to mount subtle assaults.
“The P2PInfect worm seems to be effectively designed with a number of fashionable improvement selections,” the researchers stated. “The design and constructing of a P2P community to carry out the auto-propagation of malware will not be one thing generally seen throughout the cloud focusing on or cryptojacking risk panorama.”