Monday, September 16, 2024

New P2PInfect Worm Targets Redis Servers with Undocumented Breach Strategies


Jul 31, 2023THNCyber Menace / Botnet

P2PInfect Worm

The P2PInfect peer-to-peer (P2) worm has been noticed using beforehand undocumented preliminary entry strategies to breach prone Redis servers and twine them right into a botnet.

“The malware compromises uncovered situations of the Redis knowledge retailer by exploiting the replication function,” Cado Safety researchers Nate Invoice and Matt Muir mentioned in a report shared with The Hacker Information.

“A typical assault sample towards Redis in cloud environments is to use this function utilizing a malicious occasion to allow replication. That is achieved through connecting to an uncovered Redis occasion and issuing the SLAVEOF command.”

The Rust-based malware was first documented by Palo Alto Networks Unit 42, calling out the malware’s skill to use a important Lua sandbox escape vulnerability (CVE-2022-0543, CVSS rating: 10.0) to acquire a foothold into Redis situations. The marketing campaign is believed to have commenced on or after June 29, 2023.

Nonetheless, the newest discovery means that the risk actors behind the marketing campaign are leveraging a number of exploits for preliminary entry.

This isn’t the primary time the SLAVEOF command has been abused within the wild. Beforehand, risk actors related to malware households akin to H2Miner and HeadCrab have abused the assault approach to illicitly mine cryptocurrency on compromised hosts.

In doing so, the objective is to copy a malicious occasion and cargo a malicious module to activate the an infection.

One other preliminary entry vector entails the registration of a malicious cron job on the Redis host to obtain the malware from a distant server upon execution, a way beforehand noticed in assaults mounted by the WatchDog cryptojacking group.

A profitable breach is adopted by the distribution of next-stage payloads that permit the malware to change iptables firewall guidelines at will, improve itself, and probably deploy cryptocurrency miners at a later date as soon as the botnet has grown to a particular dimension.

UPCOMING WEBINAR

Defend Towards Insider Threats: Grasp SaaS Safety Posture Administration

Apprehensive about insider threats? We have you lined! Be a part of this webinar to discover sensible methods and the secrets and techniques of proactive safety with SaaS Safety Posture Administration.

Be a part of At this time

“The P2Pinfect malware makes use of a peer-to-peer botnet,” the researchers mentioned. “Every contaminated server is handled as a node, which then connects to different contaminated servers. This enables the complete botnet to gossip with one another with out utilizing a centralized C2 server.”

A notable trait of the botnet is its worming conduct, enabling it to broaden its attain through the use of an inventory of passwords to brute-force SSH servers and making an attempt to use the Lua sandbox escape vulnerability or use the SLAVEOF command within the case of Redis servers.

“P2Pinfect is well-designed and makes use of refined strategies for replication and C2,” the researchers concluded. “The selection of utilizing Rust additionally permits for simpler portability of code throughout platforms (with the Home windows and Linux binaries sharing quite a lot of the identical code), whereas additionally making static evaluation of the code considerably tougher.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

0FansLike
3,912FollowersFollow
0SubscribersSubscribe
- Advertisement -spot_img

Latest Articles