Cybersecurity experts have identified a new peer-to-peer (P2P) worm named P2PInfect, which specifically targets vulnerable Redis installations for subsequent exploitation. Unlike many previous threats, P2PInfect can compromise Redis servers operating on both Linux and Windows platforms, making it a particularly formidable threat, as noted by researchers from Palo Alto Networks’ Unit 42.

William Gamazo and Nathaniel Quist, leading researchers at Unit 42, indicated that the worm is constructed using Rust, a programming language known for its scalability and suitability for cloud applications. It has been estimated that approximately 934 Redis systems may be exposed to this new threat, with the first documented case of P2PInfect occurring on July 11, 2023.

A key feature of P2PInfect is its exploitation of a critical Lua sandbox escape vulnerability designated as CVE-2022-0543, which has previously seen use in various malware campaigns. This vulnerability carries a severity score of 10.0 on the Common Vulnerability Scoring System (CVSS) and has previously facilitated the distribution of numerous malware families, including Muhstik, Redigo, and HeadCrab. However, Unit 42 researchers have specified that they found no direct correlation between P2PInfect and the aforementioned malware campaigns, given differences in programming languages and methodologies.

Gamazo explained that P2PInfect leverages the LUA library to inject Remote Code Execution (RCE) scripts into compromised hosts, a technique distinct from others associated with Redis synchronization vulnerabilities. The initial exploitation enables the worm to deploy a payload that establishes a P2P communication channel, facilitating the retrieval of additional malicious binaries, including software that aids in the worm’s propagation across other exposed Redis and SSH servers.

Further, the worm employs a PowerShell script to maintain connectivity with the P2P network, thus ensuring persistent access for threat actors. Notably, the Windows version of P2PInfect features a monitor component that allows automatic updates to newer virus iterations.

The Redis spokesperson reiterated that Redis installations are frequently targeted due to their status as popular in-memory databases. They emphasized that Redis Enterprise users benefit from a hardened Lua module, which is not susceptible to CVE-2022-0543. As such, organizations utilizing Redis Enterprise licensed software remain protected from P2PInfect.

While the precise objectives of the attackers remain unclear, Unit 42 asserted that the malware seems fundamentally engineered to compromise a wide array of vulnerable Redis instances across different operating systems. This strategy could be part of a broader plan that anticipates launching more sophisticated attacks enabled by a robust P2P command-and-control infrastructure.

No known threat actor groups, including those infamous for exploiting cloud weaknesses such as TeamTNT or Rocke, have been definitively linked to this activity. This development comes amidst a trend of cybercriminals swiftly identifying and targeting misconfigured and vulnerable cloud assets.

The P2PInfect worm illustrates a sophisticated design and an innovative approach to self-propagation via a P2P network, a tactic not typically observed in the current cloud targeting threat landscape. Mitigating the risks associated with vulnerabilities like CVE-2022-0543 will be essential for organizations to safeguard their systems from evolving cyber threats, leveraging insights from the MITRE ATT&CK framework to understand the adversarial tactics potentially deployed in this incident.