Experts Discovered a Previously Undocumented Initial Access Vector Used by P2PInfect Worm

In July, researchers from Palo Alto Networks Unit 42 discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers on Linux and Windows systems. P2PInfect is written in Rust and exploits the CVE-2022-0543 vulnerability to gain initial access. It establishes P2P communication to the network and has been found on over 307,000 unique public Redis systems in the past two weeks, with 934 possibly vulnerable. The worm's goal and the threat actors behind it remain unclear.

Recently, Cado Security researchers reported a new variant of P2PInfect, exploiting the Redis replication feature to compromise exposed Redis data stores. This replication feature allows instances of Redis to run in a distributed architecture. The attackers connect to an exposed Redis instance, issue the SLAVEOF command, complete replication, and then load a malicious module (a Linux shared object file) to extend Redis's functionality” (SecurityAffairs, 2023).

Security Officer Comments:
The worm attempts to compromise Redis hosts through the Cron unauthenticated RCE mechanism. Once a server is compromised, the attackers deliver next-stage payloads that enable malicious activities, such as modifying iptables firewall rules. P2PInfect exhibits worming behavior, scanning for potentially exposed SSH and Redis servers within a /16 network prefix and using a list of passwords for brute force attacks.

While the Cado Security variant had similar functionality to the Windows variant analyzed by Unit42, the initial access method differed, and there was no specific evidence of targeting cloud environments. Both Unit42 and Cado Security Labs agree on the subject of the miner payload.

Suggested Correction(s):
The report includes Indicators of Compromise (IoCs) and Yara rules for binary detection, providing valuable information for security teams to defend against the P2PInfect worm.