New #P2PInfect bot targets routers and IoT devices
https://securityaffairs.com/155206/malware/p2pinfect-bot-routers-iot-devices.html
#securityaffairs #hacking #malware
During the scanning phase, the brute-force attempts against SSH servers leverage common username and password pairs embedded within the ELF binary itself.
#Cybersecurity #IoT #Malware #MIPS #Botnet #Routers #P2PInfect #SSH
Latest issue of my curated #cybersecurity and #infosec list of resources for week #38/2023 is out! It includes the following and much more:
➝ 
TransUnion Denies #Breach After Hacker Publishes Allegedly Stolen Data
➝ 
Hackers breached International Criminal Court’s systems last week
➝ 
#Microsoft #AI researchers accidentally exposed terabytes of internal sensitive data
➝ 
#BlackCat #ransomware hits #Azure Storage with #Sphynx encryptor
➝ 
Iranian Nation-State Actor OilRig Targets Israeli Organizations
➝ 
#India's biggest tech centers named as #cybercrime hotspots
➝ 
Finnish Authorities Dismantle Notorious #PIILOPUOTI Dark Web Drug Marketplace
➝ 
Canadian Government Targeted With #DDoS Attacks by Pro-#Russia Group
➝ 
#China Accuses U.S. of Decade-Long #Cyberespionage Campaign Against #Huawei Servers
➝ China's Malicious Cyber Activity Informing War Preparations, #Pentagon Says
➝ New #SprySOCKS Linux #malware used in cyber espionage attacks
➝ 
UK Minister Warns #Meta Over End-to-End Encryption
➝ One of the #FBI’s most wanted hackers is trolling the U.S. government
➝ 
Fake #WinRAR proof-of-concept exploit drops #VenomRAT malware
➝ 
#P2PInfect botnet activity surges 600x with stealthier malware variants
➝ 
Hackers backdoor #telecom providers with new HTTPSnoop malware
➝ 
#Bumblebee malware returns in new attacks abusing #WebDAV folders
➝ #GitHub launches #passkey support into general availability
➝ 
Free Download Manager releases script to check for #Linux malware
➝ 
#Signal adds quantum-resistant encryption to its #E2EE messaging protocol
➝ 
#iOS 17 includes these new security and #privacy features
➝ 
High-Severity Flaws Uncovered in #Atlassian Products and ISC BIND Server
➝ 
Incomplete disclosures by #Apple and #Google create “huge blindspot” for 0-day hunters
➝ Apple emergency updates fix 3 new zero-days exploited in attacks
➝ #TrendMicro fixes #endpoint protection zero-day used in attacks
➝ #Fortinet Patches High-Severity #Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products
➝ Nearly 12,000 #Juniper #Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability
This week's recommended reading is: "Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It" by Marc Goodman
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end 
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-382023
"
P2PInfect Botnet Skyrockets: A 600X Surge in Traffic Unveiled by Cado Security Labs "
Cado Security Labs has unveiled a staggering 600X increase in P2PInfect traffic since August 28, with a notable 12.3% spike just a week before the publication of their findings. The botnet, primarily targeting servers hosting publicly-accessible instances of Redis, has seen its tentacles spread across China, the US, Germany, the UK, Singapore, Hong Kong, and Japan. The malware, dubbed P2PInfect, has evolved significantly since its discovery in July 2023, showcasing a self-update mechanism and a rapid release of new variants by its developers. The botnet's exponential growth is alarming, with its nodes now spanning across major Cloud Service Providers (CSPs) in both East-Asian and American regions. The malware's primary objective remains elusive, although its rapid iteration and geographical spread hint at a larger, possibly more nefarious agenda in the offing. The detailed analysis by Cado also sheds light on the botnet's sophisticated evasion and persistence mechanisms, making it a formidable threat to global cybersecurity.
Source: Cado Security Labs
Tags: #P2PInfect #Botnet #CyberSecurity #Malware #CadoSecurityLabs #Redis #CloudSecurity #CyberThreats #InfoSec
Technical Mastodon Toot
Title: P2Pinfect - Self-Replicating Worm Malware Targeting Redis Data Stores 
P2Pinfect is a self-replicating worm malware actively targeting exposed Redis data stores. Redis is a popular in-memory multi-modal database known for its sub-millisecond latency, used by companies like Twitter, GitHub, Snapchat, Craigslist, and StackOverflow for live-streaming and quick-response use cases. 
Infection Mechanism:
P2Pinfect exploits a critical vulnerability (CVE-2022-0543) and replicates the main database for high availability and counter failover scenarios. After compromising a vulnerable Redis instance, P2Pinfect downloads new OS-specific scripts and malicious binaries and adds the server to its list of infected systems. The malware adds the infected server to its peer-to-peer network, allowing future compromised Redis servers to access the bundle of malicious payloads. 
The primary payload is an ELF binary written in a combination of C and Rust. After execution, the binary updates the SSH configuration of the host, enabling the attacker to connect to the server via SSH with password authentication. The threat actor then restarts the SSH service and adds an SSH key to the list of authorized keys for the current user. 
Post-Infection Actions:
Botnet Formation:
The infected server receives at least one binary that can scan through /proc and monitor changes. The binary can upgrade the main malware binary if its signature does not match the one pulled from the botnet. Each compromised Redis server becomes a node, turning the network into a peer-to-peer botnet without the need for a centralized command and control (C2) server. 
Conclusion:
The purpose of P2Pinfect remains unclear. Although a binary called "miner" is present, no evidence of cryptomining has been observed. It is possible that this is just the initial stage of the campaign, and additional functionality, possibly cryptomining, will be added after a sufficient number of Redis instances have been compromised. The malware's use of Rust and C's Foreign Function Interface feature adds complexity, making it difficult to detect and analyze. 
Sources:
https://www.neowin.net/news/self-replicating-worm-malware-infects-exposed-redis-data-store-used-for-live-streaming/ https://linuxsecurity.com/news/vendors-products/worm-like-botnet-malware-targeting-popular-redis-storage-tool https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spreads-using-redis-replication-feature/
Stay vigilant, stay secure! #Cybersecurity #Malware #Redis #P2Pinfect #TechThreats
Experts discovered a previously undocumented initial access vector used by #P2PInfect worm
https://securityaffairs.com/149012/malware/p2pinfect-worm-initial-access-vector.html
#securityaffairs #hacking #malware
Latest issue of my curated #cybersecurity and #infosec list of resources for week #29/2023 is out! It includes the following and much more:
➝ #Russia Seeks 18 Years in Jail for Founder of #Cybersecurity Firm
➝ 
Pro-Russian hacktivists increase focus on Western targets. The latest is #OnlyFans
➝ 
#DDoS Botnets Hijacking #Zyxel Devices to Launch Devastating Attacks
➝ 
New #P2PInfect Worm Targeting Redis Servers on #Linux and #Windows Systems
➝ 
#Google restricting internet access to some employees to reduce #cyberattack risk
➝ #Apple slams UK surveillance-bill proposals
➝ 
Cybersecurity firm #Sophos impersonated by new #SophosEncrypt ransomware
➝ 
#Ukraine takes down massive bot farm, seizes 150,000 SIM cards
➝ #CISA and #NSA Issue New Guidance to Strengthen #5G Network Slicing Against Threats
➝ Chinese #APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg #Spyware
➝ 
Famed Hacker Kevin Mitnick Dead at 59
➝ 
U.S. Government Blacklists #Cytrox and #Intellexa Spyware Vendors for Cyber Espionage
➝ 
#Citrix alerts users to critical vulnerability in Citrix ADC and Gateway
➝ 
#VirusTotal Data Leak Exposes Some Registered Customers' Details
➝ 
FIN8 Group Using Modified Sardonic #Backdoor for #BlackCat Ransomware Attacks
➝ 
#GitHub Security alert: social engineering campaign targets technology industry employees
➝ Analysis of #Storm0558 techniques for unauthorized email access
➝
➝ 
➝ 
Police arrests Ukrainian #scareware developer after 10-year hunt
➝ 
#Norway Threatens $100,000 Daily Fine on #Meta Over Data
➝ 
Two New Adobe #ColdFusion Vulnerabilities Exploited in Attacks
➝ 
#JumpCloud Says Sophisticated Nation-State Hackers Targeted Specific Customers
➝ #MOVEit Hack: Number of Impacted Organizations Exceeds 340
This week's recommended reading is: "Leadership Is Changing the Game - The Transition from Technical Expert to Leader" by Brian Donovan
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-292023
