Microsoft is urging organizations to secure internet-facing systems, apply security updates and secure credentials after discovering a new variant of the Sysrv botnet, which is known for exploiting vulnerabilities in web apps and databases to install coin miners on Windows and Linux systems.
In a series of tweets, the Redmond, Wash. IT giant says the new variant – which it calls Sysrv-K – is capable of additional exploits and gaining control of web servers.
The Microsoft Security Intelligence Twitter account tweets that Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself, with bugs ranging from path traversal and remote file disclosure to arbitrary fire download and remote code execution flaws.
We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers.
— Microsoft Security Intelligence (@MsftSecIntel) May 13, 2022
Vulnerabilities largely include older bugs in WordPress plugins that have been patched, but some newer vulnerabilities are also being leveraged, including a code injection flaw in Spring Cloud Gateway (CVE-2022-22947) that could lead to arbitrary remote execution on a remote host. Once the malware is installed on a device, it deploys a cryptocurrency miner, per Microsoft’s tweets.
While using a botnet to deploy a cryptocurrency miner is not novel, Microsoft notes that Sysrv-K scans for WordPress configuration files and their backups to retrieve database credentials, which are then leveraged to gain control of the web server.
In addition, Sysvr-K has advanced communication capabilities, including the ability to use a Telegram bot.
Similar to older variants, Sysrv-K scans for SSH keys, IP addresses and the host names in an attempt to connect to other systems in the network via SSH to deploy copies of itself.
“This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” Microsoft Security Intelligence says via tweet. “We highly recommend organizations to secure internet-facing systems, including timely application of security updates and building credential hygiene.”
Microsoft also notes that Microsoft Defender for Endpoint detects this botnet, as well as older variants and their related behavior and payloads.
Leave a Reply