#techthreats — Public Fediverse posts

🐘🔒 Technical Mastodon Toot 🔒🐘

Title: P2Pinfect - Self-Replicating Worm Malware Targeting Redis Data Stores 🐛

P2Pinfect is a self-replicating worm malware actively targeting exposed Redis data stores. Redis is a popular in-memory multi-modal database known for its sub-millisecond latency, used by companies like Twitter, GitHub, Snapchat, Craigslist, and StackOverflow for live-streaming and quick-response use cases. 🌐🗃️

💣 Malware Capabilities:

• Attempts multiple Redis exploits for initial access.
• Utilizes Rust for payload development, making analysis tricky.
• Uses multiple evasion techniques to hinder dynamic analysis.
• Conducts internet scanning for Redis and SSH servers.
• Self-replicates in a worm-like manner. 🐍🔁

📥 Infection Mechanism:
P2Pinfect exploits a critical vulnerability (CVE-2022-0543) and replicates the main database for high availability and counter failover scenarios. After compromising a vulnerable Redis instance, P2Pinfect downloads new OS-specific scripts and malicious binaries and adds the server to its list of infected systems. The malware adds the infected server to its peer-to-peer network, allowing future compromised Redis servers to access the bundle of malicious payloads. 🚪🌐🔓

💣 Payload Execution:
The primary payload is an ELF binary written in a combination of C and Rust. After execution, the binary updates the SSH configuration of the host, enabling the attacker to connect to the server via SSH with password authentication. The threat actor then restarts the SSH service and adds an SSH key to the list of authorized keys for the current user. 🔑🚀💻

💼 Post-Infection Actions:

• Renames the wget and curl binaries to hinder incident responders from using them for forensics.
• Checks for the presence of specific utilities (iptables, awk, netstat) and installs them if not available.
• Uses netstat and awk to collect a list of all IPs currently connected to the Redis server.
• Adds iptables rules to allow traffic from these IPs to the Redis server and deny all other traffic to the Redis server. All traffic is allowed to a randomly chosen port the primary payload listens on for botnet communications. 🛡️🕵️‍♂️📊

🤖 Botnet Formation:
The infected server receives at least one binary that can scan through /proc and monitor changes. The binary can upgrade the main malware binary if its signature does not match the one pulled from the botnet. Each compromised Redis server becomes a node, turning the network into a peer-to-peer botnet without the need for a centralized command and control (C2) server. 🕸️🌐🤯

🧩 Conclusion:
The purpose of P2Pinfect remains unclear. Although a binary called "miner" is present, no evidence of cryptomining has been observed. It is possible that this is just the initial stage of the campaign, and additional functionality, possibly cryptomining, will be added after a sufficient number of Redis instances have been compromised. The malware's use of Rust and C's Foreign Function Interface feature adds complexity, making it difficult to detect and analyze. 🕵️‍♀️🛡️💻

📚 Sources:
🔗 https://www.neowin.net/news/self-replicating-worm-malware-infects-exposed-redis-data-store-used-for-live-streaming/
🔗 https://linuxsecurity.com/news/vendors-products/worm-like-botnet-malware-targeting-popular-redis-storage-tool
🔗 https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spreads-using-redis-replication-feature/

Stay vigilant, stay secure! 🛡️🔒 #Cybersecurity #Malware #Redis #P2Pinfect #TechThreats

🐘🔒 Technical Mastodon Toot 🔒🐘

Title: P2Pinfect - Self-Replicating Worm Malware Targeting Redis Data Stores 🐛

P2Pinfect is a self-replicating worm malware actively targeting exposed Redis data stores. Redis is a popular in-memory multi-modal database known for its sub-millisecond latency, used by companies like Twitter, GitHub, Snapchat, Craigslist, and StackOverflow for live-streaming and quick-response use cases. 🌐🗃️

💣 Malware Capabilities:

• Attempts multiple Redis exploits for initial access.
• Utilizes Rust for payload development, making analysis tricky.
• Uses multiple evasion techniques to hinder dynamic analysis.
• Conducts internet scanning for Redis and SSH servers.
• Self-replicates in a worm-like manner. 🐍🔁

📥 Infection Mechanism:
P2Pinfect exploits a critical vulnerability (CVE-2022-0543) and replicates the main database for high availability and counter failover scenarios. After compromising a vulnerable Redis instance, P2Pinfect downloads new OS-specific scripts and malicious binaries and adds the server to its list of infected systems. The malware adds the infected server to its peer-to-peer network, allowing future compromised Redis servers to access the bundle of malicious payloads. 🚪🌐🔓

💣 Payload Execution:
The primary payload is an ELF binary written in a combination of C and Rust. After execution, the binary updates the SSH configuration of the host, enabling the attacker to connect to the server via SSH with password authentication. The threat actor then restarts the SSH service and adds an SSH key to the list of authorized keys for the current user. 🔑🚀💻

💼 Post-Infection Actions:

• Renames the wget and curl binaries to hinder incident responders from using them for forensics.
• Checks for the presence of specific utilities (iptables, awk, netstat) and installs them if not available.
• Uses netstat and awk to collect a list of all IPs currently connected to the Redis server.
• Adds iptables rules to allow traffic from these IPs to the Redis server and deny all other traffic to the Redis server. All traffic is allowed to a randomly chosen port the primary payload listens on for botnet communications. 🛡️🕵️‍♂️📊

🤖 Botnet Formation:
The infected server receives at least one binary that can scan through /proc and monitor changes. The binary can upgrade the main malware binary if its signature does not match the one pulled from the botnet. Each compromised Redis server becomes a node, turning the network into a peer-to-peer botnet without the need for a centralized command and control (C2) server. 🕸️🌐🤯

🧩 Conclusion:
The purpose of P2Pinfect remains unclear. Although a binary called "miner" is present, no evidence of cryptomining has been observed. It is possible that this is just the initial stage of the campaign, and additional functionality, possibly cryptomining, will be added after a sufficient number of Redis instances have been compromised. The malware's use of Rust and C's Foreign Function Interface feature adds complexity, making it difficult to detect and analyze. 🕵️‍♀️🛡️💻

📚 Sources:
🔗 https://www.neowin.net/news/self-replicating-worm-malware-infects-exposed-redis-data-store-used-for-live-streaming/
🔗 https://linuxsecurity.com/news/vendors-products/worm-like-botnet-malware-targeting-popular-redis-storage-tool
🔗 https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spreads-using-redis-replication-feature/

Stay vigilant, stay secure! 🛡️🔒 #Cybersecurity #Malware #Redis #P2Pinfect #TechThreats

🐘🔒 Technical Mastodon Toot 🔒🐘

Title: P2Pinfect - Self-Replicating Worm Malware Targeting Redis Data Stores 🐛

P2Pinfect is a self-replicating worm malware actively targeting exposed Redis data stores. Redis is a popular in-memory multi-modal database known for its sub-millisecond latency, used by companies like Twitter, GitHub, Snapchat, Craigslist, and StackOverflow for live-streaming and quick-response use cases. 🌐🗃️

💣 Malware Capabilities:

• Attempts multiple Redis exploits for initial access.
• Utilizes Rust for payload development, making analysis tricky.
• Uses multiple evasion techniques to hinder dynamic analysis.
• Conducts internet scanning for Redis and SSH servers.
• Self-replicates in a worm-like manner. 🐍🔁

📥 Infection Mechanism:
P2Pinfect exploits a critical vulnerability (CVE-2022-0543) and replicates the main database for high availability and counter failover scenarios. After compromising a vulnerable Redis instance, P2Pinfect downloads new OS-specific scripts and malicious binaries and adds the server to its list of infected systems. The malware adds the infected server to its peer-to-peer network, allowing future compromised Redis servers to access the bundle of malicious payloads. 🚪🌐🔓

💣 Payload Execution:
The primary payload is an ELF binary written in a combination of C and Rust. After execution, the binary updates the SSH configuration of the host, enabling the attacker to connect to the server via SSH with password authentication. The threat actor then restarts the SSH service and adds an SSH key to the list of authorized keys for the current user. 🔑🚀💻

💼 Post-Infection Actions:

• Renames the wget and curl binaries to hinder incident responders from using them for forensics.
• Checks for the presence of specific utilities (iptables, awk, netstat) and installs them if not available.
• Uses netstat and awk to collect a list of all IPs currently connected to the Redis server.
• Adds iptables rules to allow traffic from these IPs to the Redis server and deny all other traffic to the Redis server. All traffic is allowed to a randomly chosen port the primary payload listens on for botnet communications. 🛡️🕵️‍♂️📊

🤖 Botnet Formation:
The infected server receives at least one binary that can scan through /proc and monitor changes. The binary can upgrade the main malware binary if its signature does not match the one pulled from the botnet. Each compromised Redis server becomes a node, turning the network into a peer-to-peer botnet without the need for a centralized command and control (C2) server. 🕸️🌐🤯

🧩 Conclusion:
The purpose of P2Pinfect remains unclear. Although a binary called "miner" is present, no evidence of cryptomining has been observed. It is possible that this is just the initial stage of the campaign, and additional functionality, possibly cryptomining, will be added after a sufficient number of Redis instances have been compromised. The malware's use of Rust and C's Foreign Function Interface feature adds complexity, making it difficult to detect and analyze. 🕵️‍♀️🛡️💻

📚 Sources:
🔗 https://www.neowin.net/news/self-replicating-worm-malware-infects-exposed-redis-data-store-used-for-live-streaming/
🔗 https://linuxsecurity.com/news/vendors-products/worm-like-botnet-malware-targeting-popular-redis-storage-tool
🔗 https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spreads-using-redis-replication-feature/

Stay vigilant, stay secure! 🛡️🔒 #Cybersecurity #Malware #Redis #P2Pinfect #TechThreats

🐘🔒 Technical Mastodon Toot 🔒🐘

Title: P2Pinfect - Self-Replicating Worm Malware Targeting Redis Data Stores 🐛

P2Pinfect is a self-replicating worm malware actively targeting exposed Redis data stores. Redis is a popular in-memory multi-modal database known for its sub-millisecond latency, used by companies like Twitter, GitHub, Snapchat, Craigslist, and StackOverflow for live-streaming and quick-response use cases. 🌐🗃️

💣 Malware Capabilities:

• Attempts multiple Redis exploits for initial access.
• Utilizes Rust for payload development, making analysis tricky.
• Uses multiple evasion techniques to hinder dynamic analysis.
• Conducts internet scanning for Redis and SSH servers.
• Self-replicates in a worm-like manner. 🐍🔁

📥 Infection Mechanism:
P2Pinfect exploits a critical vulnerability (CVE-2022-0543) and replicates the main database for high availability and counter failover scenarios. After compromising a vulnerable Redis instance, P2Pinfect downloads new OS-specific scripts and malicious binaries and adds the server to its list of infected systems. The malware adds the infected server to its peer-to-peer network, allowing future compromised Redis servers to access the bundle of malicious payloads. 🚪🌐🔓

💣 Payload Execution:
The primary payload is an ELF binary written in a combination of C and Rust. After execution, the binary updates the SSH configuration of the host, enabling the attacker to connect to the server via SSH with password authentication. The threat actor then restarts the SSH service and adds an SSH key to the list of authorized keys for the current user. 🔑🚀💻

💼 Post-Infection Actions:

• Renames the wget and curl binaries to hinder incident responders from using them for forensics.
• Checks for the presence of specific utilities (iptables, awk, netstat) and installs them if not available.
• Uses netstat and awk to collect a list of all IPs currently connected to the Redis server.
• Adds iptables rules to allow traffic from these IPs to the Redis server and deny all other traffic to the Redis server. All traffic is allowed to a randomly chosen port the primary payload listens on for botnet communications. 🛡️🕵️‍♂️📊

🤖 Botnet Formation:
The infected server receives at least one binary that can scan through /proc and monitor changes. The binary can upgrade the main malware binary if its signature does not match the one pulled from the botnet. Each compromised Redis server becomes a node, turning the network into a peer-to-peer botnet without the need for a centralized command and control (C2) server. 🕸️🌐🤯

🧩 Conclusion:
The purpose of P2Pinfect remains unclear. Although a binary called "miner" is present, no evidence of cryptomining has been observed. It is possible that this is just the initial stage of the campaign, and additional functionality, possibly cryptomining, will be added after a sufficient number of Redis instances have been compromised. The malware's use of Rust and C's Foreign Function Interface feature adds complexity, making it difficult to detect and analyze. 🕵️‍♀️🛡️💻

📚 Sources:
🔗 https://www.neowin.net/news/self-replicating-worm-malware-infects-exposed-redis-data-store-used-for-live-streaming/
🔗 https://linuxsecurity.com/news/vendors-products/worm-like-botnet-malware-targeting-popular-redis-storage-tool
🔗 https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spreads-using-redis-replication-feature/

Stay vigilant, stay secure! 🛡️🔒 #Cybersecurity #Malware #Redis #P2Pinfect #TechThreats

🐘🔒 Technical Mastodon Toot 🔒🐘

P2Pinfect - A Sophisticated Self-Replicating Worm Malware Targeting Redis Data Stores 🐛

Greetings, fellow SEC ppl 🤖🛡️ Today I saw a lot of articles about P2Pinfect, a self-replicating worm malware that has been causing quite a stir in the realm of Redis data stores. 🌐🗃️

🔍 Introduction:
P2Pinfect, a cunning botnet agent malware written in Rust, has set its sights on vulnerable instances of the widely-used Redis data store. Redis is renowned for its exceptional sub-millisecond latency and finds applications in live-streaming and quick-response scenarios for big players like Twitter, GitHub, and more. 🐦💬🎮

💻 Malware Capabilities:
This crafty malware packs quite a punch with its capabilities:

1. It relentlessly attempts multiple Redis exploits for initial access.
2. The utilization of Rust in payload development makes analysis an arduous task.
3. Employing various evasion techniques, it cunningly thwarts dynamic analysis.
4. Internet scanning for Redis and SSH servers is conducted to broaden its scope.
5. To add to its sinister charm, it self-replicates like a true worm. 🐍🔁

📥 Infection Mechanism:
P2Pinfect leverages a critical vulnerability (CVE-2022-0543) and exploits a feature designed for database replication and high availability. Once it infiltrates a vulnerable Redis instance with its initial payload, it proceeds to download OS-specific scripts and malicious binaries. The compromised server becomes part of its infected network, paving the way for future Redis targets to fall prey to the bundle of malevolence. 🚪🌐🔓

💣 Payload Execution:
The primary payload, an ELF binary written in a combination of C and Rust, wreaks havoc upon execution. It manipulates the host's SSH configuration, shifting the OpenSSH server configuration to nearly default settings, allowing the attacker to gain access via the SSH protocol with password authentication. The SSH service is then restarted, and an SSH key is added to the authorized keys list for the current user. 🔑🚀💻

💼 Post-Infection Actions:
Post-infection, P2Pinfect takes several steps to consolidate its hold:

1. It slyly renames wget and curl binaries to foil incident responders attempting to use them for forensics.
2. The malware ensures necessary utilities (iptables, awk, netstat) are in place and installs them if missing.
3. Utilizing netstat and awk, it creates a list of all IPs currently connected to the Redis server on the target host.
4. To maintain control, it sets up iptables rules allowing traffic from these IPs to the Redis server while denying all other traffic, with a randomly chosen port designated for botnet communications. 🛡️🕵️‍♂️📊

🤖 Botnet Formation:
P2Pinfect masterfully establishes a peer-to-peer botnet, treating each compromised Redis server as a node. It deploys a binary capable of scanning through /proc, monitoring changes, and upgrading the main malware binary when required. This eliminates the need for a centralized command and control (C2) server, making it a formidable force in the shadows. 🕸️🌐🤯

🧩 Conclusion:
The intentions of P2Pinfect remain shrouded in mystery. While the presence of a binary labeled "miner" is intriguing, no evidence of cryptomining has surfaced so far. It is possible that this is just the initial stage of the campaign, with more functionalities, possibly cryptomining, to be unleashed once a significant number of Redis instances are compromised. The malware's sophistication lies in its use of Rust and the amalgamation with C's Foreign Function Interface, making it a complex and elusive adversary with minimal tooling for analysis. 🕵️‍♀️🛡️💻

📚 Sources:
🔗 https://www.neowin.net/news/self-replicating-worm-malware-infects-exposed-redis-data-store-used-for-live-streaming/
🔗 https://linuxsecurity.com/news/vendors-products/worm-like-botnet-malware-targeting-popular-redis-storage-tool
🔗 https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spreads-using-redis-replication-feature/

Stay vigilant, stay secure! 🛡️🔒 #Cybersecurity #Malware #Redis #P2Pinfect #TechThreats