Security News > 2023 > July > P2PInfect server botnet spreads using Redis replication feature

P2PInfect server botnet spreads using Redis replication feature
2023-07-31 15:31

Threat actors are actively targeting exposed instances of SSH and Redis Redis open-source data store with a peer-to-peer self-replicating worm with versions for both Windows and Linux that the malware authors named P2Pinfect.

After compromising a vulnerable Redis instance with an initial payload, P2PInfect downloads new OS-specific scripts and malicious binaries and adds the server to its list of infected systems.

The sample they analyzed also used a different initial access route by exploiting the Redis replication feature that allows the creation of exact replicas of the main/leader Redis instance.

"A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication" - Cado Security.

The researchers say P2PInfect treats each compromised Redis server as a node, turning the network into a peer-to-peer botnet that can receive instructions without the need for a centralized command and control server.

With Redis servers, P2PInfect will try to exploit CVE-2022-0543 or the replication feature to load malicious modules on the host.


News URL

https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spreads-using-redis-replication-feature/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-18 CVE-2022-0543 Missing Authorization vulnerability in Redis
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
network
low complexity
redis CWE-862
critical
10.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Redis 4 4 10 15 4 33