P2PInfect Botnet Activity Surges 600x with Stealthier Malware Variants

Cyber Security Threat Summary:
The P2PInfect botnet worm has entered a phase of significantly increased activity, with a notable surge observed from late August through September 2023. Initially documented by Unit 42 in July 2023, P2PInfect is categorized as a peer-to-peer malware that exploits a remote code execution vulnerability to breach Redis instances on internet-exposed Windows and Linux systems. Researchers at Cado Security, who have been monitoring the botnet since late July 2023, now report widespread global activity. The majority of these breaches have impacted systems in countries including China, the United States, Germany, Singapore, Hong Kong, the UK, and Japan.

Cado has detected heightened P2PInfect botnet activity, signaling a new phase of code stability enabling its escalated operations. The researchers have reported a consistent rise in the volume of initial access attempts made by P2PInfect on their honeypots. As of August 24, 2023, a single sensor recorded 4,064 such events. By September 3, 2023, although initial access events had tripled, their numbers remained relatively low. However, during the week spanning from September 12th to 19th, 2023, a significant surge in P2PInfect activity was observed. Cado documented 3,619 access attempts during this period alone, marking a staggering 600-fold increase.

Security Officer Comments:
Cado's findings indicate that recent iterations of P2PInfect made attempts to retrieve a miner payload, but no actual cryptocurrency mining activity was observed on the compromised devices. Consequently, it remains uncertain whether the malware operators are still fine-tuning the final phase of their attack strategy. The operators of this botnet might be in the process of improving the miner component or exploring potential buyers interested in P2PInfect subscriptions, possibly using the miner as a showcase for demonstration purposes. Considering the botnet's current size, widespread presence, automatic updating capabilities, and its rapid expansion in the current month, P2PInfect represents a significant threat that warrants close monitoring.

Suggested Correction(s):
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.