Cybersecurity researchers have discovered a new peer-to-peer (P2P) worm that targets the cloud. P2P infection Target vulnerable Redis instances for subsequent exploitation.
Researchers William Gamazo and Nathaniel Quist of Palo Alto Networks Unit 42 said, “P2PInfect exploits Redis servers running on both Linux and Windows operating systems, making it more scalable and powerful than other worms. ,” he said. “This worm is also written in Rust, a highly extensible and cloud-friendly programming language.”
It is estimated that up to 934 unique Redis systems may be vulnerable to this threat. The first known instance of P2PInfect was detected on July 11th, 2023.
A notable feature of this worm is its ability to exploit the critical Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score: 10.0) to infect vulnerable Redis instances. This vulnerability has been previously exploited to deliver multiple malware families such as Muhstik and Redigo. , and HeadCrab for the past year.
Initial access gained from successful exploits was used to deliver dropper payloads that establish peer-to-peer (P2P) communications to large P2P networks, including scanning software to propagate malware to other public Redis. Fetch additional malicious binaries for . SSH host.
“Infected instances participate in a P2P network, providing future compromised Redis instances with access to other payloads,” the researchers said.
The malware also utilizes PowerShell scripts to establish and maintain communication between compromised hosts and P2P networks, providing persistent access to threat actors. Additionally, the Windows flavor of P2PInfect includes a Monitor component for self-updating and launching new versions.
It wasn’t immediately clear what the campaign’s ultimate goal was, with Unit 42 noting that despite the presence of the word “minor” in the toolkit’s source code, there was no conclusive evidence of cryptojacking. are doing.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
This campaign is notorious for attacking cloud environments such as Adept Libra (aka TeamTNT), Aged Libra (aka Rocke), Automated Libra (aka PURPLEURCHIN), Money Libra (aka Kinsing), and Returned Libra (aka). Not by any threat actor group. 8220 Gang), or Thief Libra (aka WatchDog).
This development comes as misconfigured and vulnerable cloud assets are discovered within minutes by malicious actors who constantly scan the internet for advanced attacks.
“The P2PInfect worm appears to be well designed with some modern development choices,” said the researchers. “Her design and construction of a P2P network to carry out automated malware propagation is not commonly seen in the cloud targeting and cryptojacking threat arena.”
