Worm targeting unpatched Redis databases, say researchers

Share post:

IT administrators with the open-source Redis database in their environments are being warned of a new peer-to-peer (P2P) worm targeting Windows and Linux servers running the application.

Researchers at Palo Alto Networks have dubbed the malware, which they found last week, P2PInfect, saying 934 unpatched Redis instances open to the internet may be vulnerable.

It infects vulnerable Redis instances by exploiting the Lua sandbox escape vulnerability, CVE-2022-0543. While the vulnerability was disclosed in 2022, the researchers say, its scope is not fully known at this point. However, it is rated in the NIST National Vulnerability Database with a Critical CVSS score of 10.0.

Additionally, the report says, the fact that P2PInfect exploits Redis servers running on both Linux and Windows operating systems makes it more scalable and potent than other worms.

All samples of the P2P worm collected by the researchers are written in Rust, a highly scalable and cloud-friendly programming language. This allows the worm to be capable of cross-platform infections that target Redis instances on both Linux and Windows operating systems.

After initial infection by exploiting the Lua vulnerability, an initial payload is executed that establishes a P2P communication to the larger C2 botnet, which serves as a P2P network for delivering other payloads to future compromised Redis instances, says the report. Once the P2P connection is established, the worm pulls down additional payloads, such as a scanner. The newly infected instance then joins the ranks of the P2P network to provide scanning payloads to future compromised Redis instances.

Exploiting this vulnerability makes P2PInfect effective in cloud container environments, the report adds.

The researchers believe this P2PInfect campaign is the first stage of a potentially more capable attack that leverages this robust P2P command and control (C2) network. There are instances of the word “miner” within the malicious toolkit of P2PInfect. However, researchers did not find any definitive evidence that cryptomining operations ever occurred. Additionally, the P2P network appears to possess multiple C2 features such as “Auto-updating” that would allow the controllers of the P2P network to push new payloads into the network that could alter and enhance the performance of any of the malicious operations.

The design and building of a P2P network to perform the auto-propagation of malware is not something commonly seen within the cloud targeting or cryptojacking threat landscape, the report says. “At the same time, we believe it was purpose-built to compromise and support as many Redis vulnerable instances as possible across multiple platforms.”

Redis administrators should monitor all Redis applications, the report says, both on-premises and within cloud environments, to ensure they do not contain random filenames within the /tmp directory. Additionally, DevOps personnel should continually monitor their Redis instances to ensure they maintain legitimate operations and maintain network access. Finally, all Redis instances should also be updated to their latest versions.

The post Worm targeting unpatched Redis databases, say researchers first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, May 29, 2024 – A new North Korean ransomware gang spotted, and more

A new North Korean ransomware gang spotted, and more Welcome to Cyber Security Today. It's Wednesday, May 29th, 2024....

Microsoft tries to regain trust of government cybersecurity leadership

Microsoft has embarked on an aggressive campaign to restore and enhance its cybersecurity image and regain trust within...

London Drugs refuses to pay ransom – corporate data is leaked

London Drugs, a prominent Canadian retailer, has confirmed a data breach involving sensitive corporate head office files, following...

Cyber Security Today, May 27, 2024 – Security controversy over a new Microsoft tool, a new open source threat intelligence service, and more

Security controversy over a new Microsoft tool, a new open-source threat intelligence service, and more. Welcome to Cyber Security...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways