IT administrators with the open-source Redis database in their environments are being warned of a new peer-to-peer (P2P) worm targeting Windows and Linux servers running the application.
Researchers at Palo Alto Networks have dubbed the malware, which they found last week, P2PInfect, saying 934 unpatched Redis instances open to the internet may be vulnerable.
It infects vulnerable Redis instances by exploiting the Lua sandbox escape vulnerability, CVE-2022-0543. While the vulnerability was disclosed in 2022, the researchers say, its scope is not fully known at this point. However, it is rated in the NIST National Vulnerability Database with a Critical CVSS score of 10.0.
Additionally, the report says, the fact that P2PInfect exploits Redis servers running on both Linux and Windows operating systems makes it more scalable and potent than other worms.
All samples of the P2P worm collected by the researchers are written in Rust, a highly scalable and cloud-friendly programming language. This allows the worm to be capable of cross-platform infections that target Redis instances on both Linux and Windows operating systems.
After initial infection by exploiting the Lua vulnerability, an initial payload is executed that establishes a P2P communication to the larger C2 botnet, which serves as a P2P network for delivering other payloads to future compromised Redis instances, says the report. Once the P2P connection is established, the worm pulls down additional payloads, such as a scanner. The newly infected instance then joins the ranks of the P2P network to provide scanning payloads to future compromised Redis instances.
Exploiting this vulnerability makes P2PInfect effective in cloud container environments, the report adds.
The researchers believe this P2PInfect campaign is the first stage of a potentially more capable attack that leverages this robust P2P command and control (C2) network. There are instances of the word “miner” within the malicious toolkit of P2PInfect. However, researchers did not find any definitive evidence that cryptomining operations ever occurred. Additionally, the P2P network appears to possess multiple C2 features such as “Auto-updating” that would allow the controllers of the P2P network to push new payloads into the network that could alter and enhance the performance of any of the malicious operations.
The design and building of a P2P network to perform the auto-propagation of malware is not something commonly seen within the cloud targeting or cryptojacking threat landscape, the report says. “At the same time, we believe it was purpose-built to compromise and support as many Redis vulnerable instances as possible across multiple platforms.”
Redis administrators should monitor all Redis applications, the report says, both on-premises and within cloud environments, to ensure they do not contain random filenames within the /tmp directory. Additionally, DevOps personnel should continually monitor their Redis instances to ensure they maintain legitimate operations and maintain network access. Finally, all Redis instances should also be updated to their latest versions.
UPDATE: After this story was published Redis sent IT World Canada the following statement: “We’ve previously seen other malware created to take advantage of CVE-2022-0543, a vulnerability created by how certain versions of Debian Linux package the Lua engine for open source Redis. Redis Enterprise software bundles a hardened version of the Lua module which is not susceptible to this vulnerability. As such, customers running Redis Enterprise licensed software are not at risk from CVE-2022-0543 and P2PInfect. Users of open source Redis are encouraged to use official distributions available directly from redis.io.”
