A new variant of the Sysrv botnet has added vulnerability to the recent Spring cloud gateway to its exploit portfolio, Microsoft has warned.
The Sysrv botnet has been active since late 2020, looking to exploit known security bugs in access interfaces in order to compromise windows and linux systems and install a Monero cryptominer on them.
Sysrv has previously targeted web apps and databases such as MongoDB, Jira, Confluence, Drupal, ThinkPHP, Salt-API, Apache Struts, Mongo-Express, and Oracle WebLogic. The botnet scans the internet to identify vulnerable web servers to compromise, although patches exists for all of the targetted vulnerabilities, the victim servers have yet to be patched.
According to Microsoft Security Intelligence, the recently observed botnet variant, Sysrv-K, has expanded its exploits portfolio.
“We encountered a new variant of the Sysrv botnet that is known to exploit vulnerabilities in web apps and databases to install Coin Minor on Windows and Linux systems. The new variant we call Sysrv-K has additional exploits and can gain control over web servers, ”Microsoft tweeted.
The technical giant said it was targeting vulnerabilities, file download and file exposure, path traversal, and remote code execution errors.
“These vulnerabilities have been fixed through security updates, including old vulnerabilities in WordPress plugins, as well as new vulnerabilities such as CVE-2022-22947,” the company said.
CVE-2022-22947 (CVSS Score 10) is a critical vulnerability in the Spring Cloud Gateway – a well-known Spring Framework-based API gateway that exposes applications to code injection attacks that allow unauthorized, remote attackers to achieve remote code execution.
According to Microsoft, Sysrv-K also collects database credentials and scans for WordPress configuration files and their backups in an attempt to capture the webserver. Additionally, the boat packs updated communication capabilities such as support for Telegram.
“Like older variants, Sysrv-K scans SSH keys, IP addresses, and hostname, and then tries to connect to other systems on the network via SSH to execute copies of it. This puts other networks at risk of becoming part of the Sysrv-K botnet, ”said Microsoft.
Companies are advised to keep all of their internet-facing systems safe by minimizing the risks posed by this botnet, timely installation of available security patches, and using the best security practices.