Researchers have discovered a new worm that infects servers running the Redis in-memory storage system by exploiting a known vulnerability in its Lua subcomponent. Dubbed P2PInfect, the worm is written in Rust and uses a custom peer-to-peer (P2P) communications protocol and network.
Editor’s note: This article, originally published on July 20, 2023, has been updated with new information from Cado Security.
“Unit 42 believes this P2PInfect campaign is the first stage of a potentially more capable attack that leverages this robust P2P command and control (C2) network,” researchers from Palo Alto Networks’ Unit 42 research team said in a new report. “There are instances of the word ‘miner’ within the malicious toolkit of P2PInfect. However, researchers did not find any definitive evidence that cryptomining operations ever occurred.”
A Lua sandbox escape
Lua is a cross-platform programming language and scripting engine that’s commonly embedded as a sandboxed library in applications to enable scripting support. This is also the case for Redis, which allows its users to upload and execute Lua scripts on the server for extended functionality.
While Redis instances have been infected by malicious actors and botnets before, this was mainly achieved by exploiting vulnerabilities or misconfigurations in Redis itself. Meanwhile, the P2PInfect worm also exploits a critical Lua sandbox exploit vulnerability tracked as CVE-2022-0543 that specifically affects the Redis packages on Debian Linux.
According to the Unit 42 researchers, more than 307,000 Redis instances are currently accessible from the internet, but only a small subset of around 900 are vulnerable to this flaw. However, the worm will attempt to probe and infect all public instances.
“Exploiting CVE-2022-0543 makes P2PInfect effective in cloud container environments,” the researchers said. “Containers have a reduced set of functionalities. For example, they do not have ‘cron’ services. Many of the most active worms exploiting Redis use a technique to achieve remote code execution (RCE) using cron services. This technique does not work in containers. P2PInfect incorporates the exploit for CVE-2022-0543 with the intention of covering as many vulnerable scenarios as possible, including cloud container environments.”
In a separate analysis by researchers from Cado Security Labs, a different infection vector was observed. The Cado researchers also had one of their Redis honeypot servers compromised by the P2Pinfect worm, but instead of using the CVE-2022-0543 vulnerability to get in, attackers exploited Redis’ replication feature.
The replication feature allows Redis nodes to function as a slave of a designated master node. This feature can be triggered with a command called SLAVEOF and will result in the node becoming a replica of the master. Multiple groups of attackers have been known to use this technique in the past against publicly exposed Redis instances by connecting to them and making them slaves of malicious Redis instances under their control.
The benefit of this technique is that attackers can then insert a Linux shared object file into their master mode that will be replicated to the compromised slaves and which can then be loaded as a module on the slaves with the MODULE LOAD command. Modules are meant to extend the functionality of Redis, and in this case attackers designed a module that provided them with reverse shell access and implemented a command called system.exec that allowed them to execute arbitrary shell commands on the victim systems.
P2PInfect malware is cross-platform and resilient
Once the main P2PInfect dropper is deployed it connects to the P2P network and download information about the custom communication protocol, which works over TLS 1.3, as well as a list of active nodes in the network. It will also update the network with its own information and will choose a random communications port.
The fact that the worm uses a peer-to-peer command-and-control protocol and random port numbers for each node makes it resilient against takedown attempts as there’s no central failure point. Its communications are also harder to block through firewalls because there’s not one specific port that can be blocked to stop its traffic.
The worm is written in Rust, a modern programming language that is cross-platform and is known for its memory and type safety. This has made it a popular programming choice for major companies. The P2PInfect dropper was seen infecting Redis instances on both Linux and Windows and it deploys additional payloads written in Rust. Some of these are named linux, miner, winminer, and windows.
On Windows systems, the Palo Alto researchers also saw another component called Monitor being deployed that enables persistence and makes sure the worm is running. After deploying its additional components, the worm immediately starts scanning for vulnerable Redis instances but also scans random ranges of IP addresses for port 22 which is normally associated with SSH. It’s not clear why this port is scanned because the researchers saw no evidence that the bot is trying to exploit or connect to other systems over SSH, at least not yet.
“We recommend that organizations monitor all Redis applications, both on-premises and within cloud environments, to ensure they do not contain random filenames within the /tmp directory,” the researchers said. “Additionally, DevOps personnel should continually monitor their Redis instances to ensure they maintain legitimate operations and maintain network access. All Redis instances should also be updated to their latest versions or anything newer than redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2 and redis/5:7.0~rc2-2.”
P2PInfect is the latest addition in a string of self-propagating botnets that target cloud and container technologies. Researchers from Aqua Security recently documented another worm dubbed Silentbob that targets Kubernetes clusters, Docker APIs, Weave Scope instances, JupyterLab and Jupyter Notebook deployments, Redis servers, and Hadoop clusters.
Cyberattacks, Malware, Vulnerabilities