Since late August 2023 [2] [3] [4], the P2PInfect botnet worm has experienced a significant surge in activity [2] [5], with a 600-fold increase in traffic between September 12 and 19, 2023. This surge coincides with the emergence of multiple malware variants [3], indicating rapid development by the developers [4].
Description
Cado Security researchers have observed global activity related to the P2PInfect botnet worm. The most impacted countries include China, the United States [1] [5], Germany [1] [2] [4] [5], Singapore [1] [2] [4] [5], Hong Kong [1] [2] [4] [5], the UK [1] [2] [4] [5], and Japan [1] [2] [4] [5]. Initially targeting poorly secured Redis instances [2] [4], the malware has since adopted different methods [2] [4], including exploiting the database’s replication feature [2] [4].
The latest samples of P2PInfect demonstrate ongoing development, with new features added to enhance its spreading capabilities. These features include a cron-based persistence mechanism [5], a secondary bash payload for communication [5], and the use of an SSH key to prevent legitimate users from logging in [5]. If P2PInfect gains root access, it also changes the passwords for other users on the system. Additionally, the malware now uses a dynamically updated C struct configuration in memory.
While the exact goals of P2PInfect remain unclear [2] [4], it has been observed attempting to fetch a crypto miner payload [2] [4]. Speculations suggest that the developers may be planning to implement additional functionality or sell access to the botnet [2] [4].
The botnet has grown significantly [1], with 219 unique compromised IPs identified [1], and the number of attempts to spread the malware has increased to 3,619 events in a week [1]. Experts express concerns about potential vulnerabilities in Redis and the possibility of using smaller firms as a testbed for more sophisticated attacks against larger tech firms [1].
Conclusion
Given the impact and potential risks associated with the P2PInfect botnet worm, security teams are advised to review their approach to securing Redis and SSH services [1]. This includes avoiding exposing the data store to the public internet [1], enabling authentication [1], favoring key-based authentication [1], disabling root login and password authentication for SSH [1], and implementing IP whitelisting [1].
Mitigating the vulnerabilities in Redis and SSH services is crucial to prevent further spread of the malware and protect against potential attacks. Additionally, the growing sophistication of the P2PInfect botnet highlights the need for continuous monitoring and proactive security measures.
The implications of this surge in activity and the rapid development of the P2PInfect botnet warrant attention from security professionals. It is essential to stay vigilant, adapt security strategies, and collaborate with industry experts to mitigate the risks posed by this evolving threat.
References
[1] https://www.scmagazine.com/news/p2pinfect-botnet-targets-redis-and-ssh-services
[2] https://thehackernews.com/2023/09/researchers-raise-red-flag-on-p2pinfect.html
[3] https://gixtools.net/2023/09/researchers-raise-red-flag-on-p2pinfect-malware-with-600x-activity-surge/
[4] https://patabook.com/technology/2023/09/21/researchers-raise-red-flag-on-p2pinfect-malware-with-600x-activity-surge/
[5] https://www.redpacketsecurity.com/p-pinfect-botnet-activity-surges-x-with-stealthier-malware-variants/
