Security News > 2023 > July > P2PInfect server botnet spreads using Redis replication feature
Threat actors are actively targeting exposed instances of SSH and Redis Redis open-source data store with a peer-to-peer self-replicating worm with versions for both Windows and Linux that the malware authors named P2Pinfect.
After compromising a vulnerable Redis instance with an initial payload, P2PInfect downloads new OS-specific scripts and malicious binaries and adds the server to its list of infected systems.
The sample they analyzed also used a different initial access route by exploiting the Redis replication feature that allows the creation of exact replicas of the main/leader Redis instance.
"A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication" - Cado Security.
The researchers say P2PInfect treats each compromised Redis server as a node, turning the network into a peer-to-peer botnet that can receive instructions without the need for a centralized command and control server.
With Redis servers, P2PInfect will try to exploit CVE-2022-0543 or the replication feature to load malicious modules on the host.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-18 | CVE-2022-0543 | Missing Authorization vulnerability in Redis It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. | 10.0 |