“Exploiting CVE-2022-0543 makes P2PInfect efficient in cloud container environments,” the researchers stated. “Containers have a decreased set of functionalities. For instance, they don’t have ‘cron’ providers. Lots of the most lively worms exploiting Redis use a way to attain distant code execution (RCE) utilizing cron providers. This method doesn’t work in containers. P2PInfect incorporates the exploit for CVE-2022-0543 with the intention of overlaying as many weak eventualities as potential, together with cloud container environments.”
In a separate evaluation by researchers from Cado Safety Labs, a distinct an infection vector was noticed. The Cado researchers additionally had considered one of their Redis honeypot servers compromised by the P2Pinfect worm, however as a substitute of utilizing the CVE-2022-0543 vulnerability to get in, attackers exploited Redis’ replication characteristic.
The replication characteristic permits Redis nodes to perform as a slave of a delegated grasp node. This characteristic might be triggered with a command known as SLAVEOF and can consequence within the node changing into a duplicate of the grasp. A number of teams of attackers have been identified to make use of this method prior to now in opposition to publicly uncovered Redis cases by connecting to them and making them slaves of malicious Redis cases underneath their management.
The good thing about this method is that attackers can then insert a Linux shared object file into their grasp mode that will probably be replicated to the compromised slaves and which may then be loaded as a module on the slaves with the MODULE LOAD command. Modules are supposed to lengthen the performance of Redis, and on this case attackers designed a module that supplied them with reverse shell entry and applied a command known as system.exec that allowed them to execute arbitrary shell instructions on the sufferer methods.
P2PInfect malware is cross-platform and resilient
As soon as the principle P2PInfect dropper is deployed it connects to the P2P community and obtain details about the customized communication protocol, which works over TLS 1.3, in addition to a listing of lively nodes within the community. It would additionally replace the community with its personal data and can select a random communications port.
The truth that the worm makes use of a peer-to-peer command-and-control protocol and random port numbers for every node makes it resilient in opposition to takedown makes an attempt as there’s no central failure level. Its communications are additionally more durable to dam by firewalls as a result of there’s not one particular port that may be blocked to cease its site visitors.