Neowin readers and the community, in general, got pretty excited when Microsoft first revealed it was adding Rust to the Windows 11 kernel. That was back in April at the BlueHat IL 2023 conference, and around a month later, on May 11 (or 10th, depending on where you live), the company announced that Rust was now live inside the kernel of Windows 11 Insider builds.
Microsoft's David Weston, Vice President, Enterprise and OS Security, explained that a reason for adding Rust was to improve the security of the Windows 11 memory system as Rust is considered memory-safe and type-safe.
Interestingly, security researchers at Palo Alto Networks have discovered a new peer-to-peer (P2P) worm, dubbed P2PInfect, that is built on Rust, and the malware affects both Windows and as well as Linux-based Redis (Remote Dictionary Server) servers. The worm is exploiting the Lua Sandbox Escape vulnerability which has been tracked under CVE-2022-0543 since 2022. This could lead to remote code execution (RCE).
In its blog post, Palo Alto Networks explains:
Written in Rust, a highly scalable and cloud-friendly programming language, this worm is capable of cross-platform infections and targets Redis, a popular open-source database application that is heavily used within cloud environments.
[...]
The P2PInfect worm infects vulnerable Redis instances by exploiting the Lua sandbox escape vulnerability, CVE-2022-0543. While the vulnerability was disclosed in 2022, its scope is not fully known at this point. However, it is rated in the NIST National Vulnerability Database with a Critical CVSS score of 10.0. Additionally, the fact that P2PInfect exploits Redis servers running on both Linux and Windows operating systems makes it more scalable and potent than other worms.
A P2P worm is a type of worm that takes advantage of the mechanics of a P2P network to distribute a copy of itself to unsuspecting P2P users. Therefore, essentially, after dropping an initial malicious payload P2PInfect establishes P2P communication to a larger network and downloads additional malicious binaries. Hence the chain continues infecting other Redis server instances.
You can find more technical details about the P2PInfect malware campaign on Palo Alto's website.
34 Comments - Add comment