A newly discovered worm malware known as P2PInfect is proving to be a threat to Redis servers. This malware, discovered earlier this month by security researchers from Unit 42, showcases self-spreading capabilities. The malicious software aims primarily at Redis instances that operate on Windows and Linux systems visible on the Internet.
Unit 42 researchers found that P2PInfect capitalizes on vulnerable Redis servers. The vulnerability lies in a Lua sandbox escape flaw, marked as CVE-2022-0543, which is of maximum severity.
Identifying Vulnerable Redis Servers Against Worm Malware
Over the past fortnight, researchers have spotted more than 307,000 Redis servers online. Out of these, a mere 934 instances are at risk from P2PInfect. Notwithstanding, the worm malware attempts to compromise every server it encounters.
Unit 42 researchers have identified several samples of the malware in different geographical regions through their HoneyCloud platform. They believe that the P2PInfect node count is on the rise. This increase is primarily due to the high number of potential targets — more than 307,000 Redis instances — and the worm’s successful compromise of several Redis honeypots in diverse areas.
Focusing on Cloud Container Environments
The malware, upon successful exploitation of the CVE-2022-0543 flaw, can execute remote code on the infected devices. The initial move of the P2PInfect worm is to install a malicious payload. This action creates a peer-to-peer (P2P) communication channel within a broader interconnected system.
The worm connects to the P2P network of other infected devices. This connection allows for automatic propagation. It then downloads additional malicious binaries. These binaries include scanning tools used to discover other exposed Redis servers.
The researchers note that this exploitation technique makes the P2PInfect worm highly effective. It can efficiently operate and propagate in cloud container environments. Unit 42 foresees the P2PInfect campaign as the first step towards a potentially more potent attack. It could exploit this robust P2P command and control (C2) network.
Redis Servers as a Target Over the Years
Redis servers have been under constant threats from numerous actors over time. Most of these actors have included the servers in DDoS and cryptojacking botnets. For instance, botnets such as Muhstik and Redigo have used the CVE-2022-0543 exploits for initial access. They have targeted Redis instances for various malicious activities, such as DDoS and brute-forcing attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) instructed federal civilian agencies to patch this critical Redis flaw in March 2022. This directive was in response to the Muhstik malware gang using this exploit.
Unfortunately, many Redis server admins might not be aware of the insecure-by-default configuration of Redis. Redis servers, as per official documentation, are designed for closed IT networks. As such, they do not have a default enabled access control mechanism. Given the large number of instances exposed online, this lack of awareness is a significant concern.
