Researchers have identified a cross-platform, Rust-based, peer-to-peer (P2) worm that’s targeting the Redis open-source database application; specifically, containers in the cloud.
A July 19 report from Palo Alto Network’s Unit 42 named the cloud worm an appropriate moniker: “P2PInfect.” The team suspects, due to its substantial command-and-control (C2) network, and mentions of the word “miner,” that it could be the first stage of a wider cryptomining operation.
While the Unit 42 team found more than 300,000 Redis systems online, not all are vulnerable to the P2Pinfect worm — in fact they found just 934 of those. The team said vulnerable Redis systems are unpatched against the Lua sandbox escape vulnerability tracked under CVE-2022-0543, which scores 10 out of 10 on the CVSS vulnerability-severity scale.
“While the vulnerability was disclosed in 2022, its scope is not fully known at this point,” the Unit 42 P2P cloud worm report explained. “Additionally, the fact that P2PInfect exploits Redis servers running on both Linux and Windows operating systems makes it more scalable and potent than other worms.”
The problem for the rest of the Redis user base is that Unit 42 analysts predict that every Redis system can expect threat actors to attempt a breach. And, it can be modified with additional compromise tactics at any time, meaning that Redis instances that are not vulnerable now could become crackable in the future.
“The P2P network appears to possess multiple C2 features such as ‘Auto-updating’ that would allow the controllers of the P2P network to push new payloads into the network that could alter and enhance the performance of any of the malicious operations,” according to the report.
The Unit 42 added it will continue to track P2PInfect.