Microsoft has discovered a new variant of the Sysrv botnet that includes a recent Spring Cloud Gateway vulnerability in its arsenal.
Since at least late 2020, the Sysrv botnet has been active, attempting to exploit known security flaws in access interfaces in order to penetrate Windows and Linux systems and install a Monero crypto miner on them. Web apps and databases, including MongoDB, Jira, Confluence, Drupal, ThinkPHP, Salt-API, Apache Struts 2+, Oracle WebLogic 11g+, among others, have been targeted by Sysrv.
The botnet examines the internet for vulnerable servers to attack. Although all of the targeted vulnerabilities have been fixed, the infected hosts remain unpatched, it appears. According to Microsoft Security Intelligence, a recently observed variant of the botnet known as Sysrv-K has boosted exploit availability.
“We encountered a new variant of the Sysrv botnet, known for exploiting web apps and database vulnerabilities to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports other exploits and can gain control of web servers,” Microsoft reported on Twitter.
The flaws targeted by the attackers are, according to Google, file download and file disclosure, path traversal, and remote code execution. However, recent security updates have fixed old WordPress plugin vulnerabilities and more recent threats like CVE-2022-22947.
In a worst-case scenario, attackers could take control of the affected system by using an XML External Entity (XXE) attack. The vulnerability is caused due to lack of sanitization when loading XML data from external sources within the application. An attacker could exploit this vulnerability by loading malicious files or scripts in response to requests for public hypertext transfer protocol feeds from end applications that accept such data types.
Sysrv-K, like previous versions, searches for SSH keys, IP addresses, and hostnames and then attempts to connect to other systems in the network via SSH to deploy copies of itself. That could put the rest of the network at risk of becoming part of the Sysrv-K botnet.
Organizations should secure all of their internet-facing systems by applying available security updates in a timely manner and following recommended security practices to minimize the threats posed by this botnet.