An extremely dangerous worm has wound up in cloudy environments

Cybersecurity experts have discovered a new P2PInfect worm that attacks Redis-servers in the cloud for subsequent exploitation of existing vulnerabilities.

“The P2PInfect worm compromises Redis servers running both on linuxso on Windows, which makes it larger and more dangerous than other worms. In addition, this worm is written in Rust – a highly scalable and cloud-based programming language, ”the researchers said Palo Alto Networks V recent report .

It is estimated that up to 934 unique Redis systems may be vulnerable to this threat. The first known case of P2PInfect infection was recorded on July 11, 2023.

A characteristic feature of the worm is the ability to infect vulnerable Redis instances by exploiting the critical Lua Sandbox Escape vulnerability. CVE-2022-0543 (grade CVSS 10.0), which has been used to deliver various malware over the past year, such as Muhstik, Redigo, and HeadCrab.

The initial access granted by the successful exploit is then used to deliver the dropper payload, which establishes a peer (P2P) connect to a larger P2P network and extract additional malicious binaries, including scanning software to spread malware to other exposed Redis and SSH hosts.

The malware also uses PowerShell-script to establish and maintain communication between a compromised host and a P2P network, providing attackers with permanent access. Moreover, the Windows version of P2PInfect includes a Monitor component for self-updating and launching the new version.

It is not yet known what the ultimate goal of the campaign is, although Unit 42 noted that there is no unambiguous evidence of cryptocurrency mining, despite the presence of the word “miner” in the source code of the toolkit.

The activity has not yet been attributed to any of the known threat groups widely known for attacking cloud environments. Meanwhile, misconfigured cloud environments are increasingly being attacked by cybercriminals who carefully scan the Internet for particularly vulnerable instances.

“The P2PInfect worm appears to be well designed using several modern development techniques. Creating a P2P network for automated malware distribution is quite rare in the cloud-targeting threat landscape,” the researchers concluded.