P2P Self-Replicating Cloud Worm Targets Redis

Note: Article updated on 7-20-23 to add a statement from Redis.

Researchers have identified a cross-platform, Rust-based, peer-to-peer (P2) worm that's targeting the Redis open-source database application; specifically, containers in the cloud. 

A July 19 report from Palo Alto Network's Unit 42 named the cloud worm an appropriate moniker: "P2PInfect." The team suspects, due to its substantial command-and-control (C2) network, and mentions of the word "miner," that it could be the first stage of a wider cryptomining operation.

While the Unit 42 team found more than 300,000 Redis systems online, not all are vulnerable to the P2Pinfect worm — in fact they found just 934 of those. The team said vulnerable Redis systems are unpatched against the Lua sandbox escape vulnerability tracked under CVE-2022-0543, which scores 10 out of 10 on the CVSS vulnerability-severity scale.

"While the vulnerability was disclosed in 2022, its scope is not fully known at this point," the Unit 42 P2P cloud worm report explained. "Additionally, the fact that P2PInfect exploits Redis servers running on both Linux and Windows operating systems makes it more scalable and potent than other worms."

The problem for the rest of the Redis user base is that Unit 42 analysts predict that every Redis system can expect threat actors to attempt a breach. And, it can be modified with additional compromise tactics at any time, meaning that Redis instances that are not vulnerable now could become crackable in the future.

"The P2P network appears to possess multiple C2 features such as 'Auto-updating' that would allow the controllers of the P2P network to push new payloads into the network that could alter and enhance the performance of any of the malicious operations," according to the report.

The Unit 42 added it will continue to track P2PInfect.

“We’ve previously seen other malware created to take advantage of CVE-2022-0543, a vulnerability created by how certain versions of Debian Linux package the Lua engine for open source Redis,” the company said in a statement provided to Dark Reading. “Redis Enterprise software bundles a hardened version of the Lua module which is not susceptible to this vulnerability. As such, customers running Redis Enterprise licensed software are not at risk from CVE-2022-0543 and P2PInfect. Users of open source Redis are encouraged to use official distributions available directly from redis.io."