A novel peer-to-peer botnet called P2Pinfect targeting the Redis and SSH open source services has reportedly has experienced a dramatic 600-times increase since August 28, including a 12.3% increase in traffic over the past week.
In a blog post September 20, Cado Security Labs reported P2Pinfect compromises have been observed in China, the United States, Germany, the UK, Singapore, Hong Kong, and Japan.
Researchers first discovered P2Pinfect in July targeting servers hosting publicly-accessible instances of the Redis open source database. In today’s blog, the researchers noted that targeting Redis is only half of P2Pinfect’s functionality. The malware also has the ability to propagate via SSH, and includes a list of username/password pairs to assist with brute-forcing.
In terms of the potential danger, Matt Muir, threat research lead at Cado Security, explained that attackers could use a botnet of this scale to conduct disruptive DDoS attacks as we've seen used by hacktivists throughout the Russia/Ukraine war. Muir added that attackers could also use it to mine cryptocurrency at scale, or simply to support additional malware campaigns or social engineering operations such as phishing.
“Security teams should be concerned about P2Pinfect as it's a rapidly expanding (and therefore increasingly powerful) botnet targeting web-facing infrastructure,” said Muir. “If security teams find they are running one of the Redis or SSH services that the botnet targets, they should review their approach to securing these services.”
Muir said for Redis, this typically means avoiding exposing the data store to the public internet. If it's unavoidable, Muir said consider enabling authentication, as it's now natively supported. For SSH, Muir advised favoring key-based authentication using keypairs generated with a robust signature scheme, such as Ed25519, and ensure root login and password authentication are disabled. An additional recommended step: implementing IP whitelisting for known IPs in the organization, to prevent unauthorized access to these services.
“The botnet has grown significantly in the short space of time since we initially discovered it,” said Muir. “Prior to publishing the blog we identified 219 unique IPs compromised by P2Pinfect. This number is highly conservative, as it represents peers in the botnet that have directly interacted with either our honeypot infrastructure or dynamic analysis instances - the real number is likely far higher."
When Cado researchers first encountered the malware, they were only seeing a handful of attempts to spread the malware per week. This number has grown to 3,619 events in the week between the 12th and 19th of September, suggesting more nodes have been infected by the malware.
Andrew Barratt, vice president at Coalfire, said he’s concerned about this new botnet on a number of levels. Redis is an in-memory data store that’s highly versatile, if there are storage based vulnerabilities this could have some really interesting downstream compromise vectors, said Barratt.
“This could also be a testbed for some of the very high-profile names using the product,” said Barratt. “Some of the biggest tech firms in the world are fairly open about their use of the product, so much so that their names are all listed on the Redis Wikipedia site (Amazon, Adobe). So, piloting some malware against smaller firms could be a sandbox for a much more sophisticated and targeted attack against some very big names that are consumer staples.”