A newly discovered peer-to-peer (P2P) worm is targeting Redis servers that are vulnerable to a year-old Lua sandbox escape bug, cybersecurity firm Palo Alto Networks warns.
Written in the Rust programming language, the new P2PInfect worm was observed exploiting unpatched Redis servers to install a dropper and establish P2P communication. Additional binaries are then deployed, including scripts and scanning tools to identify other vulnerable instances and propagate the worm.
According to Palo Alto Networks, there are over 300,000 Redis servers exposed to the internet, with more than 900 of them believed to be vulnerable to the P2PInfect worm. The malware targets both Windows and Linux instances.
For initial infection, the worm exploits CVE-2022-0543 (CVSS score of 10), an insufficient sanitization issue in the Lua library. Because the library is dynamically linked in some Linux packages, the vulnerability may lead to sandbox escape and remote code execution.
Redis instances infected with P2PInfect are added to a “P2P network to provide access to the other payloads to future compromised Redis instances”, Palo Alto Networks notes.
This exploitation technique allows the worm to be effective at propagating within cloud container environments, likely in preparation of a “more capable attack that leverages this robust P2P command and control (C2) network”.
According to Palo Alto Networks, infected servers were observed scanning for additional Redis instances, but also performing scanning over SSH port 22.
The cybersecurity firm also discovered that the worm drops a PowerShell script that maintains communication with the P2P network, and which modifies the local firewall to block legitimate access.
“The design and building of a P2P network to perform the auto-propagation of malware is not something commonly seen within the cloud targeting or cryptojacking threat landscape. At the same time, we believe it was purpose-built to compromise and support as many Redis vulnerable instances as possible across multiple platforms,” Palo Alto Networks notes.
Patches for CVE-2022-0543, which was previously exploited in Muhstik and Redigo attacks, were released in April 2022. Redis server administrators are advised to patch their instances as soon as possible.
Related: HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
Related: ‘Raspberry Robin’ Windows Worm Abuses QNAP Devices
Related: Sophisticated FritzFrog P2P Botnet Returns After Long Break
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
