A freshly identified peer-to-peer (P2P) worm is aiming at Redis servers susceptible to a Lua sandbox escape bug that’s a year old, warns the cybersecurity firm, Palo Alto Networks.
Crafted in the Rust programming language, the new P2PInfect worm has been detected exploiting unprotected Redis servers to set up a dropper and create P2P communication. Following this, more binaries are deployed, which include scripts and scanning tools for identifying other vulnerable instances and propagating the worm.
Palo Alto Networks reports that over 300,000 Redis servers are exposed to the internet, with more than 900 of them presumed to be vulnerable to the P2PInfect worm. The malware has its sights set on both Windows and Linux instances.
For the initial infection, the worm takes advantage of CVE-2022-0543 (with a CVSS score of 10), which is an insufficient sanitization issue present in the Lua library. As the library is dynamically linked in some Linux packages, the vulnerability may lead to sandbox escape and remote code execution.
Redis instances infected with P2PInfect are incorporated into a “P2P network to provide access to the other payloads to future compromised Redis instances”, according to Palo Alto Networks.
This exploitation method allows the worm to be efficient at propagation within cloud container environments, likely gearing up for a “more capable attack that leverages this robust P2P command and control (C2) network”.
Palo Alto Networks noted that infected servers were detected scanning for additional Redis instances, as well as conducting scanning over SSH port 22.
The cybersecurity firm also found that the worm releases a PowerShell script that maintains communication with the P2P network, and that alters the local firewall to obstruct legitimate access.
“The crafting and establishment of a P2P network to carry out the auto-propagation of malware is not a usual sight within the cloud targeting or cryptojacking threat landscape. Concurrently, we believe it was specially designed to compromise and support as many vulnerable Redis instances as possible across various platforms,” says Palo Alto Networks.
