FortiGuard Labs recently identified persistent P2Pinfect presences within Google Kubernetes Engine (GKE) clusters at several client companies, with one compromise spanning six months. The compromises originated from exposed Redis instances, which allowed the botnet to gain an initial foothold. The botnet's beaconing was repeatedly flagged in FortiCNAPP's Composite Alerts, underscoring how a single misconfiguration can enable long-term compromise in cloud environments. The IOCs observed across customers also had significant overlap.[1] While FortiGuard’s telemetry indicated that no second-stage payload was ever executed, this botnet has been observed in the wild to remain dormant for extended periods before delivering ransomware and crypto miners. Some variants of the P2Pinfect clients also have usermode rootkit capabilities.
[1] https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise/
Link to full report: IR-26-141-001_P2P.pdf
Comments