Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-text-to-speech domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-bookmark-follow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the soledad domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-paywall domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-frontend-submission domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114
New P2PInfect worm targets Redis servers with unknown breach methods – HacksByte

New P2PInfect worm targets Redis servers with unknown breach methods

The P2PInfect peer-to-peer (P2) worm has been observed using previously undocumented initial access methods to infiltrate vulnerable Redis servers and tie them into a botnet.

“The malware exploits the replication feature to compromise exposed instances of the Redis data store,” Cado security researchers Nate Bill and Matt Muir said in a report.

“A common attack pattern against Redis in cloud environments is to exploit this feature by using a malicious instance to enable replication. This is achieved through connecting to an exposed Redis instance and issuing the SLAVEOF command.”

The Rust-based malware was first documented by Palo Alto Networks Unit 42, with the malware’s ability to exploit a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to gain a foothold in Redis instances. The operation is believed to have started on or after June 29, 2023.

However, the latest discovery suggests that the dangerous actors behind the campaign are taking advantage of multiple exploits for early access.

This isn’t the first time the SLAVEOF command has been misused in the wild. In the past, dangerous actors belonging to malware families such as H2Miner and HeadCrab have abused the attack technique to illegally mine cryptocurrencies on compromised hosts.

In doing so, the goal is to replicate a malicious instance and load a malicious module to activate the infection.

Another early access vector involved registering a malicious cron job on the Redis host to download malware from a remote server upon execution, a method previously seen in attacks by the WatchDog cryptojacking group.

A successful breach is followed by the delivery of the next stage payload which allows the malware to change iptables firewall rules at will, upgrade itself and potentially deploy cryptocurrency miners at a later date once the botnet has grown to a specific size.

“The P2Pinfect malware uses a peer-to-peer botnet,” the researchers said. “Each infected server is treated as a node, which then connects to other infected servers. This allows the entire botnet to chat with each other without using a centralized C2 server.”

A notable characteristic of the botnet is its bad behavior, which it can do by using a list of passwords to brute force SSH servers and attempting to exploit the Lua sandbox escape vulnerability, or by using the SLAVEOF command in the case of Redis servers. Enables expansion of reach.

The researchers concluded, “P2Pinfect is well designed and uses sophisticated techniques for replication and C2.” “The choice to use Rust allows easy portability of code across all platforms (Windows and Linux binaries share the same code), while also making static analysis of the code significantly more difficult.”

Related posts

Microsoft CEO Satya Nadella dreams of a world where India and every person on the planet is empowered by AI

Chinese hackers exploited FortiGate Flaw to break the Dutch Military Network

Russian Coldriver hackers are moving beyond phishing with custom malware

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More