Earlier this month, security researchers discovered new peer-to-peer (P2P) malware with self-spreading capabilities that targets Redis instances running on Windows and Linux systems exposed to the Internet.

The Unit 42 researchers who spotted the Rust-based worm (named P2PInfect) on July 11 also discovered it was hacking Redis servers which were left vulnerable to maximum severity CVE-2022-0543 Lua sandbox evasion vulnerability.

While more than 307,000 Internet-exposed Redis servers have been discovered in the past two weeks, only 934 instances are potentially vulnerable to attacks from this malware, according to researchers.

However, even if not all of them are susceptible to infection, the worm will target them and attempt to compromise them.

“We have captured multiple samples within our HoneyCloud platform, across multiple geographies, and are confident that the number of P2P nodes is growing,” the researchers said.

“This is due to the sheer volume of potential targets – over 307,000 Redis instances communicating publicly over the past two weeks – and the fact that the worm may have compromised several of our Redis honeypots in disparate regions. However, we do not yet have an estimate of how many nodes exist or how fast the malicious network associated with P2PInfect is growing.”

Targets set to cloud container environments

Successful exploitation of the CVE-2022-0543 flaw allows the malware to gain remote code execution capabilities on compromised devices.

Following its deployment, the P2PInfect worm installs an initial malicious payload, creating a peer-to-peer (P2P) communication channel within a larger interconnected system.

After connecting to the P2P network of other infected devices used for automatic propagation, the worm downloads additional malicious binaries, including scanning tools to find other exposed Redis servers.

“Exploiting CVE-2022-0543 in this way makes the P2PInfect worm more efficient at operating and spreading in cloud container environments,” the researchers added.

“Unit 42 believes this P2PInfect campaign is the first step in a potentially more successful attack that takes advantage of this robust P2P command and control (C2) network.”

Redis servers have been targeted by many threatening actors over the years, most of them have been added to DDoS and cryptojacking botnets.

For example, CVE-2022-0543 exploits have been used for initial access by other botnets targeting Redis instances, including Muhstik And Redigofor various malicious purposes including DDoS attacks and brute force attacks.

In March 2022, the United States Cybersecurity and Infrastructure Security Agency (CISA) ordered federal civilian agencies to patch this critical Redis vulnerability after being added to the spread exploit used by the Muhstik malware gang.

Unfortunately, given the large number of instances exposed online, many Redis server administrators may not be aware that Redis does not have a secure configuration by default.

According to official documentsRedis servers are designed for closed computer networks and therefore do not have an access control mechanism enabled by default.