P2PInfect is a dangerous new peer-to-peer (P2P) worm that poses a significant threat to Linux and Windows cloud environments. Cloud researchers from Palo Alto’s Unit 42 discovered the worm on July 11, 2023, when it was targeting their honeypot environment, HoneyCloud.
The worm targets Redis, a widely used open-source database application running on both Linux and Windows operating systems. P2PInfect exploits a critical vulnerability to gain initial access and then establishes a P2P network to propagate across cloud systems.
The critical vulnerability being exploited is CVE-2022-0543, which, according to the NIST NVD, is a “Lua sandbox escape, which could result in remote code execution.” This vulnerability was published in February of 2022 and has a CVSS score of 10.0.
According to the findings from Unit 42 researchers, there are over 307,000 unique Redis systems communicating publicly in the last two weeks and 934 systems were found to be potentially vulnerable to the worm variant.
Upon infecting a Redis instance, P2PInfect deploys a payload that uses PowerShell to establish a P2P connection to a larger botnet and modify the firewall to disrupt legitimate traffic. The worm, written in the Rust programming language, then downloads additional malicious binaries, including OS-specific scripts and scanning software, to spread its reach further.
The worm’s architecture includes features like auto-updating, allowing the controllers to intensify and modify its malicious operations. This, combined with its ability to operate across various platforms and its focus on cloud container environments, makes it highly effective in rapidly spreading and adapting.
To counter the P2PInfect threat, organizations are advised to monitor their Redis applications for any suspicious activity and keep the systems updated with the latest patches to avoid potential vulnerabilities.
As the P2PInfect worm poses a substantial risk to cloud environments, organizations are urged to stay vigilant and take necessary precautions to protect their infrastructure from this emerging threat.