Cado Security researchers warned that the P2Pinfect<\/strong><\/a> worm is employed in attacks against Redis servers, aimed at deploying both ransomware and cryptocurrency mining payloads.<\/p>\n\n\n\n
In July 2023, Palo Alto Networks Unit 42 researchers first\u00a0discovered<\/a>\u00a0the P2P worm\u00a0P2PInfect<\/a>\u00a0that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms.\u00a0
In December 2023, Cado Security Labs discovered a new variant of the\u00a0P2Pinfect<\/a>\u00a0botnet that targeted routers, IoT devices, and other embedded devices. This variant has been compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture.<\/p>\n\n\n\n
The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability\u00a0CVE-2022-0543<\/a>\u00a0(CVSS score 10.0).<\/p>\n\n\n\n
In September 2023, Cado Security Labs reported that it had witnessed a 600x increase in\u00a0P2Pinfect<\/a>\u00a0traffic since August 28th. <\/p>\n\n\n\n
“P2Pinfect is a worm, so all infected machines will scan the internet for more servers to infect with the same vector described above. P2Pinfect also features a basic SSH password sprayer, where it will try a few common passwords with a few common users, but the success of this infection vector seems to be a lot less than with Redis, likely as it is oversaturated.” reads the report<\/strong><\/a> published by Cado. “Upon launch it drops an SSH key into the authorised key file for the current user and runs a series of commands to prevent access to the Redis instance apart from IPs belonging to existing connections.”<\/em>
To date, the miner has made approximately \u00a39,660. <\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0malware)<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"