A newly discovered peer-to-peer (P2P) worm is targeting Redis servers that are vulnerable to a year-old Lua sandbox escape bug, cybersecurity firm Palo Alto Networks warns.
Written in the Rust programming language, the new P2PInfect worm was observed exploiting unpatched Redis servers to install a dropper and establish P2P communication. Additional binaries are then deployed, including scripts and scanning tools to identify other vulnerable instances and propagate the worm.
According to Palo Alto Networks, there are over 300,000 Redis servers exposed to the internet, with more than 900 of them believed to be vulnerable to the P2PInfect worm. The malware targets both Windows and Linux instances.
For initial infection, the worm exploits CVE-2022-0543 (CVSS score of 10), an insufficient sanitization issue in the Lua library. Because the library is dynamically linked in some Linux packages, the vulnerability may lead to sandbox escape and remote code execution.
Redis instances infected with P2PInfect are added to a “P2P network to provide access to the other payloads to future compromised Redis instances”, Palo Alto Networks notes.
This exploitation technique allows the worm to be effective at propagating within cloud container environments, likely in preparation of a “more capable attack that leverages this robust P2P command and control (C2) network”.
According to Palo Alto Networks, infected servers were observed scanning for additional Redis instances, but also performing scanning over SSH port 22.
The cybersecurity firm also discovered that the worm drops a PowerShell script that maintains communication with the P2P network, and which modifies the local firewall to block legitimate access.
“The design and building of a P2P network to perform the auto-propagation of malware is not something commonly seen within the cloud targeting or cryptojacking threat landscape. At the same time, we believe it was purpose-built to compromise and support as many Redis vulnerable instances as possible across multiple platforms,” Palo Alto Networks notes.
Patches for CVE-2022-0543, which was previously exploited in Muhstik and Redigo attacks, were released in April 2022. Redis server administrators are advised to patch their instances as soon as possible.