Cybersecurity researchers have uncovered a brand new cloud focusing on, peer-to-peer (P2P) worm referred to as P2PInfect that targets susceptible Redis cases for follow-on exploitation.
“P2PInfect exploits Redis servers working on each Linux and Home windows Working Programs making it extra scalable and potent than different worms,” Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist stated. “This worm can also be written in Rust, a extremely scalable and cloud-friendly programming language.”
It is estimated that as many as 934 distinctive Redis techniques could also be susceptible to the risk. The primary identified occasion of P2PInfect was detected on July 11, 2023.
A notable attribute of the worm is its capacity to infects susceptible Redis cases by exploiting a important Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS rating: 10.0), which has been beforehand exploited to ship a number of malware households comparable to Muhstik, Redigo, and HeadCrab over the previous yr.
The preliminary entry afforded by a profitable exploitation is then leveraged to ship a dropper payload that establishes peer-to-peer (P2P) communication to a bigger P2P community and fetch extra malicious binaries, together with scanning software program for propagating the malware to different uncovered Redis and SSH hosts.
“The contaminated occasion then joins the P2P community to supply entry to the opposite payloads to future compromised Redis cases,” the researchers stated.
The malware additionally makes use of a PowerShell script to ascertain and keep communication between the compromised host and the P2P community, providing risk actors persistent entry. What’s extra, the Home windows taste of P2PInfect incorporates a Monitor part to self-update and launch the brand new model.
It isn’t instantly identified what the tip aim of the marketing campaign is, with Unit 42 noting that there isn’t any definitive proof of cryptojacking regardless of the presence of the phrase “miner” within the toolkit’s supply code.
Protect In opposition to Insider Threats: Grasp SaaS Safety Posture Administration
Nervous about insider threats? We have you lined! Be part of this webinar to discover sensible methods and the secrets and techniques of proactive safety with SaaS Safety Posture Administration.
The exercise has not been attributed to any identified risk actor teams infamous for putting cloud environments like Adept Libra (aka TeamTNT), Aged Libra (aka Rocke), Automated Libra (aka PURPLEURCHIN), Cash Libra (aka Kinsing), Returned Libra (aka 8220 Gang), or Thief Libra (aka WatchDog).
The event comes as misconfigured and susceptible cloud belongings are being found inside minutes by unhealthy actors continuously scanning the web to mount subtle assaults.
“The P2PInfect worm seems to be effectively designed with a number of trendy improvement selections,” the researchers stated. “The design and constructing of a P2P community to carry out the auto-propagation of malware is just not one thing generally seen inside the cloud focusing on or cryptojacking risk panorama.”