New peer-to-peer worm infects Redis instances through Lua vulnerability – CSO Online

Researchers have discovered a new worm that infects servers running the Redis in-memory storage system by exploiting a known vulnerability in its Lua subcomponent. Dubbed P2PInfect, the worm is written in Rust and uses a custom peer-to-peer (P2P) communications protocol and network.

Unit 42 believes this P2PInfect campaign is the first stage of a potentially more capable attack that leverages this robust P2P command and control (C2) network, researchers from Palo Alto Networks Unit 42 research team said in a new report. There are instances of the word miner within the malicious toolkit of P2PInfect. However, researchers did not find any definitive evidence that cryptomining operations ever occurred.

Lua is a cross-platform programming language and scripting engine thats commonly embedded as a sandboxed library in applications to enable scripting support. This is also the case for Redis, which allows its users to upload and execute Lua scripts on the server for extended functionality.

While Redis instances have been infected by malicious actors and botnets before, this was mainly achieved by exploiting vulnerabilities or misconfigurations in Redis itself. Meanwhile, the P2PInfect worm also exploits a critical Lua sandbox exploit vulnerability tracked as CVE-2022-0543 that specifically affects the Redis packages on Debian Linux.

According to the Unit 42 researchers, more than 307,000 Redis instances are currently accessible from the internet, but only a small subset of around 900 are vulnerable to this flaw. However, the worm will attempt to probe and infect all public instances.

Exploiting CVE-2022-0543 makes P2PInfect effective in cloud container environments, the researchers said. Containers have a reduced set of functionalities. For example, they do not have cron services. Many of the most active worms exploiting Redis use a technique to achieve remote code execution (RCE) using cron services. This technique does not work in containers. P2PInfect incorporates the exploit for CVE-2022-0543 with the intention of covering as many vulnerable scenarios as possible, including cloud container environments.

Once the main P2PInfect dropper is deployed it connects to the P2P network and download information about the custom communication protocol, which works over TLS 1.3, as well as a list of active nodes in the network. It will also update the network with its own information and will choose a random communications port.

The fact that the worm uses a peer-to-peer command-and-control protocol and random port numbers for each node makes it resilient against takedown attempts as theres no central failure point. Its communications are also harder to block through firewalls because theres not one specific port that can be blocked to stop its traffic.

The worm is written in Rust, a modern programming language that is cross-platform and is known for its memory and type safety. This has made it a popular programming choice for major companies. The P2PInfect dropper was seen infecting Redis instances on both Linux and Windows and it deploys additional payloads written in Rust. Some of these are named linux, miner, winminer, and windows.

On Windows systems, the Palo Alto researchers also saw another component called Monitor being deployed that enables persistence and makes sure the worm is running. After deploying its additional components, the worm immediately starts scanning for vulnerable Redis instances but also scans random ranges of IP addresses for port 22 which is normally associated with SSH. Its not clear why this port is scanned because the researchers saw no evidence that the bot is trying to exploit or connect to other systems over SSH, at least not yet.

We recommend that organizations monitor all Redis applications, both on-premises and within cloud environments, to ensure they do not contain random filenames within the /tmp directory, the researchers said. Additionally, DevOps personnel should continually monitor their Redis instances to ensure they maintain legitimate operations and maintain network access. All Redis instances should also be updated to their latest versions or anything newer than redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2 and redis/5:7.0~rc2-2.

P2PInfect is the latest addition in a string of self-propagating botnets that target cloud and container technologies. Researchers from Aqua Security recently documented another worm dubbed Silentbob that targets Kubernetes clusters, Docker APIs, Weave Scope instances, JupyterLab and Jupyter Notebook deployments, Redis servers, and Hadoop clusters.

Read the rest here:
New peer-to-peer worm infects Redis instances through Lua vulnerability - CSO Online

Related Posts

Comments are closed.