Threat actors have been targeting vulnerable Redis instances since February 2022 when the Redis Lua Sandbox Escape and Remote Code Execution Vulnerability, also known as “CVE-2022-0543,” was discovered. The Mushtik Gang was one of the first cyber attack groups to exploit it. They infected vulnerable devices with a malicious script that allowed them to download files, inject shell commands, and launch flood and Secure Shell (SSH) brute-force attacks remotely.

Just last month, Palo Alto Networks’s Unit 42 uncovered another exploitation attack targeting the same bug, this time using a self-replicating peer-to-peer (P2P) worm they’ve dubbed “P2PInfect.” They published seven indicators of compromise (IoCs)—five IP addresses and two domains—as part of their analysis.

WhoisXML API expanded the list of P2PInfect IoCs and discovered that:

• Six domains contained the string worldive, akin to one of the domains identified as IoCs.
• More than 10,000 domains contained the string redis, 20 of which have been classified as malicious by a bulk malware check.
• More than 10,000 subdomains contained the string redis, six of which turned out to be malicious according to a bulk malware check.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

DNS Discoveries about the P2PInfect IoCs

WHOIS lookups for the two domains identified as P2PInfect IoCs only produced results for one domain name—myhealthlifego[.]com. Created in October 2022, it was administered by PDR Ltd. and registered in China.

DNS lookups, meanwhile, for the domains identified as IoCs showed that myhealthlifego[.]com resolved to 66[.]154[.]127[.]38 (also identified as a P2PInfect IoC).

Next, a bulk IP geolocation lookup for the IP addresses identified as IoCs revealed that:

• A majority of them (three to be exact) pointed to Canada as their origin.
• The two remaining IoCs originated from China and the U.S.
• The five IoCs were administered by four ISPs led by QuadraNet Enterprises LLC, which accounted for two of the IP addresses. One IoC each was managed by Alibaba.com Singapore E-Commerce Private Limited; Amazon Technologies, Inc. (EC2); and TruVista Communications.

Reverse IP lookups for the IP addresses identified as IoCs showed that only one continued to serve as a domain host—66[.]154[.]127[.]38. It was dedicated to hosting the domain myhealthlifego[.]com.

Domains & Subdomains Discovery searches for the string worldive similar to one of the domains identified as IoCs turned up six similar-looking domains. None of them were categorized as malicious to date.

It’s also interesting to note that one of them—oneworldive[.]com—seemed to belong to a legitimate company as none of its WHOIS record details have been redacted. Additional Google searches, in fact, pointed to a legitimate and registered dive and travel company. They may have obtained the misspelled variation of their official domain name—oneworlddive[.]com—as an anti-cybersquatting measure.

Are Redis Devices on Other Attackers’ Radar?

Apart from determining P2PInfect DNS connections, we also sought to discover if threat actors could target Redis instances in other ways, such as via phishing and DNS takeover attacks. To do that, we used redis as a Domains & Subdomains Discovery search term for both domains and subdomains.

We uncovered more than 10,000 redis-containing domains.

• The 3,485 domains with creation dates in their WHOIS records were created between 1990 and 2023.

  

• The 3,522 domains whose owners indicated their registrars were spread across 428 registrars led by GoDaddy.com, which accounted for 677 domains. Namecheap (203 domains), OVH (133 domains), URL Solutions (121 domains), Google (120 domains), Name.com (106 domains), Tucows (102 domains), Dynadot (72 domains), TurnCommerce (71 domains), and PDR (63 domains) completed the top 10.

  

• The 3,028 domains with unredacted registrant countries were registered in 95 countries led by the U.S., which accounted for 1,234 domains. Iceland (172 domains), Canada (171 domains), France (163 domains), China (128 domains), Panama (122 domains), Italy and the Netherlands (116 domains each), the U.K. (83 domains), and Spain (68 domains) rounded out the top 10.

  

A bulk malware check for the redis-containing domains showed that 20 of them were classified as malicious—17 as malware hosts and three as spam senders.

Screenshot lookups for the malicious brand-containing domains, meanwhile, revealed that seven of them remained accessible—two hosted live content, four led to error or blank pages, and one was up for sale. Of those that continued to host live content, wpredis[.]com proved most interesting in that based on the domain name alone, it could be confused for a WordPress-hosted blog on Redis devices. While it does host a blog, it doesn’t seem to have anything to do with the server.

Next, a bulk malware check for the redis-containing subdomains showed that six turned out to be malware hosts.

Finally, screenshot lookups for the malicious brand-containing subdomains revealed that three remained accessible—one continued to host live content and two led to error pages.

Our Redis vulnerability exploit attack IoC expansion analysis led to the discovery of other domains that looked similar to one of the domains identified as IoCs. Scouring the DNS, meanwhile, for domains and subdomains that threat actors may have already used or could potentially weaponize in future Redis-targeted attacks allowed us to identify 25 malicious web properties and close to 20,000 artifacts.

All that said, our DNS deep dive findings could point to more attacks trailing their sights on Redis devices although not necessarily via the already much-exploited Redis Lua Sandbox Escape and Remote Code Execution Vulnerability or CVE-2022-0543. Look-alike domains could figure in phishing campaigns while forgotten subdomains could serve as DNS takeover vectors.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.