A new peer-to-peer (P2P) worm is spreading across instances of the Redis open source database software in the cloud. It may be the first phase in a larger cyberattack coming in the future, according to researchers with Palo Alto Network’s Unit 42 threat intelligence group.
The self-replicating worm, dubbed P2PInfect, is designed to be spread far and wide, researchers William Gamazo and Nathaniel Quist wrote in a report this week. It’s written in the increasingly popular Rust programming language, which makes it cloud-friendly and more capable of spreading across multiple operating systems.
P2PInfect can attack Redis instances running either Windows or Linux, which makes it a highly scalable threat.
In addition, rather than exploiting Redis applications for initial access–a more common P2P infection method–it uses the CVE-2022-0543 vulnerability known as the Lua sandbox escape, a flaw that has a “critical” CVSS score of 10 and makes it able to more easily spread in cloud container environments.
P2PInfect, which was first detected by Unit 42 on July 11, 2023, drops a payload after the initial access that essentially pulls the Redis instance into a larger botnet, establishing peer-to-peer communications with a larger P2P network.
“Once the P2P connection is established, the worm pulls down additional malicious binaries such as OS-specific scripts and scanning software,” Gamazo and Quist wrote. “The infected instance then joins the P2P network to provide access to the other payloads to future compromised Redis instances.”
However, the threat group’s end goal is not yet clear. There are points where the term “miner” is found in the worm’s toolkit, but there’s no evidence that the malware has been used in cryptomining campaigns.
“Additionally, the P2P network appears to possess multiple C2 [command-and-control] features such as ‘Auto-updating’ that would allow the controllers of the P2P network to push new payloads into the network that could alter and enhance the performance of any of the malicious operations,” they wrote, adding that they believe “this P2PInfect campaign is the first stage of a potentially more capable attack that leverages this robust P2P … [C2] network.”
Attentions Turn to the Cloud
P2PInfect is part of a larger trend of bad actors turning their focus to the cloud, essentially following possible targets as enterprises continue to shift their IT operations from on-premises data centers to the cloud.
In February, CrowdStrike analysts found that in 2022, cloud exploitations jumped 95% year-over-year, with the number of cases involving “cloud-conscious” attackers almost tripling to 288%. A Check Point survey last month found that 76% of organizations have heightened cloud security worries as the number of cloud-based network attacks jumped 48% last year.
Exploiting the CVE-2022-0543 flaw is a key avenue for the P2PInfect cybercriminals to get into the cloud. Most active worms targeting Redis exploit cron services, a job scheduling tool, to gain remote code execution (RCE) capabilities. But containers don’t use cron services, so they can’t exploit Redis with that technique. But exploiting the vulnerability enables the P2PInfect attackers to include cloud containers among their targets.
That said, these perpetrators aren’t the first to target Redis instances through the CVE-2022-0543 flaw. Last year, threat actors used the vulnerability to roll up cloud instances into the Muhstik and Redigo botnets to run denial-of-service (DoS) and brute-force attacks against systems. However, P2PInfect doesn’t seem to be related to either of them, with the post-exploit operations being much different.
There also don’t seem to be links to other groups that deploy worms and target Redis, such as Adept Libra (also known as TeamTNT), Thief Libra (WatchDog) and Automated Libra (PurpleUrchin).
Catching the Worm With Honey
Gamazo and Quist wrote that Unit 42 detected P2PInfect through its HoneyCloud, a group of honeypots used to identify and analyze novel cloud-based attacks in public clouds. After compromising a Redis instance, the following payload not only establishes communication with the P2P network but also includes scanning capabilities for finding other vulnerable Redis instances, as well as SSH port 22 hosts that can be infected with the malware.
They are unsure why the scanning includes SSH hosts, given that there’s no evidence of anything but Redis instances being attacked, though they noted that other know worm operators have targeted port 22.
The attackers use a PowerShell script in the malware to maintain communication between the compromised instance and the P2P network and ensure persistence in the infected system.
Unit 42 identified more than 307,000 Redis systems communicating publicly during a recent two-week spread and estimated that 934 of the instances could be vulnerable to the P2P worm.
“While not all of the 307,000 Redis instances will be vulnerable, the worm will still target these systems and attempt the compromise,” the researchers wrote.
The operators behind P2PInfect knew what they were doing when building it.
The worm “appears to be well designed with several modern development choices,” the researcher wrote. “The design and building of a P2P network to perform the auto-propagation of malware is not something commonly seen within the cloud targeting or cryptojacking threat landscape. At the same time, we believe it was purpose-built to compromise and support as many Redis vulnerable instances as possible across multiple platforms.”
In a statement to Security Boulevard, Redis officials said the broad use of their in-memory database will make it a target of threat actors and hailed cybersecurity researchers’ efforts to ferret them out. They’ve seen malware created to exploit the CVE-2022-0543 vulnerability, which was created by the way certain versions of Debian Linux package the Lua engine for open-source Redis.
That said, that Redis Enterprise software includes a hardened version of the Lua module that is not susceptible to the flaw, according to company officials, who added that “customers running Redis Enterprise licensed software are not at risk from CVE-2022-0543 and P2PInfect. Users of open-source Redis are encouraged to use official distributions available directly from redis.io.”