A peer-to-peer (P2P) worm known as P2PInfect has been discovered by security researchers at Unit42 to be actively targeting Windows and Linux based Redis servers. Redis is an open-source database application used in cloud environments. This Rust-based worm targets publicly communicating internet-exposed cloud-based servers by exploiting a flaw that is over a year old. There are no default authentication methods on Redis servers, and all data is stored in clear text, so running internet-exposed instances is never recommended.  If access over the internet is required, the most secure way for admins to set up a Redis server is to only allow remote access over a secure VPN or to use an IP allow list for access to the Redis port, and all other access should be denied by default. That way only trusted clients can connect to the port and access the cloud environment or network.  Despite this, Unit42 researchers identified over 307,000 publicly communicating Redis systems, all of which will be attempted to be targeted by this self-replicating P2P worm. 

An exploit of CVE-2022-0543 is used to infect vulnerable systems with the worm. This is a Debian-specific Lua sandbox escape vulnerability which is used for initial access by performing remote code execution to establish the initial payload. This vulnerability has the highest CVSS rating of 10.0 and was first reported in February of 2022. Administrators of Redis servers should have prioritised applying the patch for this flaw due to its critical severity, however 934 of the detected internet-exposed instances were found to still be vulnerable to this flaw, over a year later. This is also not the first widespread attack on Redis found to exploit this flaw, with a botnet attack launched by threat actor Muhstik last year  including the publishing of PoC code for their attack. 

The NCSC backed cyber security standard considered to be the least you can do to establish cyber security in your business, Cyber Essentials, requires all critical and high severity vulnerabilities to be mitigated within 14 days of the patch becoming available. In March of last year the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to their Known Exploited Vulnerabilities Catalog, requiring all federal agencies to patch this flaw by the 18th April 2022. Any systems that remain unpatched should be immediately updated by the server administrators to the most recent version available.