P2PInfect Botnet Compromises Kubernetes Clusters via Redis

P2PInfect botnet breaches Kubernetes via exposed Redis and CVE-2022-0543

P2PInfect Botnet Compromises Kubernetes Clusters: What Happened?

The P2PInfect botnet has recently made headlines for compromising Kubernetes clusters through exposed Redis instances. This threat highlights the importance of securing Redis, a commonly used data store in cloud environments. P2PInfect, written in Rust and active since mid-2023, is now targeting managed cloud infrastructure in a more persistent and sophisticated way.

Researchers from FortiGuard Labs observed real-world attacks on Google Kubernetes Engine (GKE) clusters. The botnet exploits misconfigured Redis setups by abusing the replication feature and the CVE-2022-0543 Lua sandbox escape vulnerability, which allows attackers to execute arbitrary code. The infection begins when a Redis instance is exposed to the internet without proper access controls.

Attack Chain and Techniques Used

  • Attackers scan for exposed Redis services within Kubernetes clusters.
  • They connect to the vulnerable service and issue the SLAVEOF command, turning the node into a follower of a malicious server.
  • The node loads malicious modules, giving attackers code execution capabilities.
  • The botnet leverages CVE-2022-0543 to escalate privileges and further compromise the system.
  • Infected hosts join a peer-to-peer mesh network, communicating with other botnet peers and waiting for instructions.

This peer-to-peer design ensures persistence and evasion, making the botnet difficult to disrupt. There is no single command server to block, so traditional defence mechanisms may struggle to contain the infection.

Why P2PInfect Matters for Cloud Security

The compromise of Kubernetes clusters by the P2PInfect botnet presents significant risks for organisations. Kubernetes clusters often host critical business applications and sensitive data. A single misconfigured Redis instance can open the door to long-term, hidden infections that threaten the integrity of the entire environment.

The peer-to-peer nature of P2PInfect allows it to grow its network quietly and persistently. Once inside, the malware can distribute payloads, gather intelligence about the environment, and maintain communication without relying on a central server. This makes detection and remediation more challenging for security teams.

Potential Impact on Organisations

  • Compromised nodes may lead to data exfiltration or unauthorised access to sensitive workloads.
  • Business operations could be disrupted if critical applications are affected.
  • Long-term infections can remain dormant, waiting for further instructions from threat actors.
  • Organisations using managed platforms like GKE without strict network controls are particularly vulnerable.

Given the critical CVE-2022-0543 vulnerability (with a CVSS score of 10.0), attackers can reliably gain code execution on unpatched Redis instances, raising the stakes for cloud security.

How Organisations Should Respond to P2PInfect Botnet Threats

Protecting Kubernetes clusters from the P2PInfect botnet requires a multi-layered approach. Organisations must prioritise secure configurations, limit network exposure, and keep software up to date.

Best Practices for Securing Redis in Cloud Environments

  • Restrict access: Ensure Redis instances are not exposed to the internet. Use firewalls and network policies to limit access to authorised users and services only.
  • Patch vulnerabilities: Apply updates and security patches regularly, especially for known vulnerabilities like CVE-2022-0543.
  • Disable unnecessary features: Turn off Redis replication and other features not required for your environment, reducing the attack surface.
  • Monitor for suspicious activity: Set up logging and alerting for unusual commands (such as SLAVEOF) or outbound connections that could signal botnet activity.
  • Implement role-based access control (RBAC): Use Kubernetes RBAC to restrict permissions and limit what users or workloads can access Redis.

Additional Steps for Kubernetes Cluster Security

  • Review and harden network policies to prevent lateral movement within the cluster.
  • Regularly scan for misconfigurations and exposed services using automated tools.
  • Educate staff about the risks of exposing services and the importance of configuration management.
  • Conduct periodic incident response drills to ensure preparedness for botnet infections.

By following these best practices, organisations can minimise the risk of P2PInfect compromise and maintain a secure cloud environment. It is essential to treat Redis security as a priority, especially in managed platforms where misconfigurations can have far-reaching consequences.

Conclusion: Taking Action Against P2PInfect Botnet Attacks

The P2PInfect botnet compromise of Kubernetes clusters through exposed Redis instances is a serious reminder of the importance of cloud security hygiene. Organisations must restrict network exposure, patch vulnerabilities, and monitor for suspicious activity to defend against persistent and evasive threats. By acting now, businesses can protect their critical workloads and maintain trust in their cloud infrastructure.

Originally reported by cybersecuritynews.com.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
Author
Rob McBride Headshot - CyPro Partner and leading cyber security expert
Rob McBride
Category
Published
May 21 - 2026
Post Tags
  • botnet
  • cloud security
  • cyber threat
  • kubernetes
  • redis
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch

Related News

South Staffordshire Water cyber-attack: ICO fine explained

P2PInfect Botnet Compromises Kubernetes Clusters via Redis

M&S cyber attack recovery boosts business resilience hopes

WantToCry Ransomware Abuses SMB Services for Remote Encryption

GitHub Hacked: Internal Repositories Offered for Sale

Verizon Data Breach Report Reveals Cyber Threat Trends

Retail cyber attack impact: Marks and Spencer case study

Cyber attack fails to dent M&S appeal: retail cyber threats

Malware-Signing Service Disrupted by Microsoft: Ransomware Risk

GitHub hack by TeamPCP: safeguarding software supply chains

Marks & Spencer Cyber Attack Highlights Retail Threats

GitHub hacked: source code auction and cyber threat risks

Arnold Clark 2022 cyber attack: lessons for car dealers

GitHub data breach: What UK SMBs need to know

GitHub breach exposes internal repositories via employee device

Marks and Spencer cyber attack: Impact on profit and retail

Marks & Spencer cyber attack disrupts fashion sales

GitHub Is Hacked: Protect Your Code from Cyber Threats

Exploited Vulnerabilities Overtake as Top Breach Entry Point

Shadow AI surge in the workplace: 4x increase in a year

GitHub Credential Leak Highlights Cybersecurity Risks

Fox Tempest Ransomware Signing Tool Takedown by Microsoft

Microsoft disrupts code-signing cybercrime service

Data breach compensation: PSNI staff paid £40m

Sophos: WantToCry ransomware uses SMB brute force and remote encryption

jlr cyber attack: sector risk and lessons for manufacturers

Zara Data Breach: Phishing Risks for 200,000 Customers

Foxconn Cyber Attack: Ransomware and Data Exfiltration Risks

TanStack supply chain attack exposes OpenAI API keys

Sandworm Hackers Pivot to Critical OT Assets

Chinese Spy Group Shadow-Earth-053 Exploits Exchange Flaws

UK business cyber breach rates: phishing leads the pack

Trellix data breach: source code repository compromised

cPanel 0-Day Authentication Bypass Vulnerability Explained

Cisco firewall vulnerabilities: persistent malware threat

AI-Assisted Credential Harvesting: React2Shell Server Exposed

APT28 DNS Hijacking: How Exploited Routers Enable Credential Theft

Microsoft Defender 0-Day Vulnerability: Privilege Escalation Risk

Fortinet SQL Injection Vulnerability: CISA Warning

New Research Shows the Vulnerability Exploitation Window is Shrinking Fast

BlueHammer Windows Defender Exploit: Understanding the Threat

AI Phishing Attacks: Unravelling the New Age of Deceit

Axios NPM Supply Chain Attack: What Happened and How to Respond

Cisco Firewall 0-Day: What You Need to Know About This Ransomware Threat

Citrix NetScaler Vulnerability: What You Need to Know

Chrome Remote Code Execution: What the Latest Security Update Fixes

Cisco SD-WAN Vulnerabilities: What Professionals Need to Know

Understanding the Microsoft SharePoint Vulnerability and Its Risks

Chrome Remote Code Execution: 8 Vulnerabilities Fixed in Urgent Update

CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call