Unpatched vulnerabilities in the Spring Framework and WordPress plugins are being exploited by cybercriminals behind the Sysrv botnet to target Linux and Windows systems. The goal, according to researchers, is to infect systems with cryptomining malware.
The botnet variant is being called Sysrv-K by Microsoft Security Intelligence researchers that posted a thread on Twitter revealing details of the botnet variant.
Researchers said criminals behind Sysrv-K have programmed their bot army to scan for instances of the flaws in WordPress plugins as well as a recent remote code execution (RCE) flaw in the Spring Cloud Gateway (CVE-2022-22947).
“These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947. Once running on a device, Sysrv-K deploys a cryptocurrency miner,” said Microsoft Security Intelligence in a tweet.
We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers.
— Microsoft Security Intelligence (@MsftSecIntel) May 13, 2022
The Spring Cloud is an open-source library that eases the process of developing the JVM application for the cloud and the Spring Cloud Gateway provides a library for building API Gateways for Spring and Java.
The CVE-2022-22947 is a code injection vulnerability in the Spring Cloud Gateway library and an attacker can perform remote code execution (RCE) on unpatched hosts. The flaw affected the VMware and Oracle products and it has been marked as critical by both the vendors.
Working of Sysrv-K
The Microsoft security intelligence team warned that Sysrv-K can gain control of the web servers by scanning the internet for various vulnerabilities to install itself. The vulnerabilities range from RCE to an arbitrary file download and path traversal to remote file disclosure.
The security researcher at Lacework Labs and Juniper Threat Labs observed two main components of malware that is to spread itself across networks by scanning the internet for vulnerable systems and installing the XMRig cryptocurrency miner (used for mining Monero) following a surge of activity in March 2021.
The new feature of Sysrv-K is that it scans for WordPress config files and their backups to steal credentials and gain access to the webserver. Apart from this “Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot” Microsoft added.
“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet” the Microsoft security intelligence team reported.
Microsoft advised the organizations to secure internet-facing Linux or Windows systems, timely apply security updates, and protect credentials. “Microsoft Defender for Endpoint detects Sysrv-K and older Sysrv variants, as well as related behavior and payloads,” they added.
The critical RCE, Worms, and 6 Zero-days including (CVE-2022-22947) were faced by Microsoft in January 2022.