Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called
P2PInfect that targets vulnerable Redis instances for follow-on exploitation.
"P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist
said. "This worm is also written in Rust, a highly scalable and cloud-friendly programming language."
It's estimated that as many as 934 unique Redis systems may be vulnerable to the threat. The first known instance of P2PInfect was detected on July 11, 2023.
A notable characteristic of the worm is its ability to infects vulnerable Redis instances by exploiting a critical Lua sandbox escape vulnerability,
CVE-2022-0543 (CVSS score: 10.0), which has been previously exploited to deliver multiple
malware families such as
Muhstik,
Redigo, and
HeadCrab over the past year.
The initial access afforded by a successful exploitation is then leveraged to deliver a dropper payload that establishes peer-to-peer (P2P) communication to a larger P2P network and fetch additional malicious binaries, including scanning software for propagating the malware to other exposed Redis and SSH hosts.