Microsoft’s IT security experts observed the Sysrv botnet and discovered a new version. This clearly attacks the security gaps for which updates are already available. After a successful break-in, cybercriminals mined cryptocurrencies on compromised machines.
The Sysrv botnet is known to abuse known vulnerabilities in web apps and databases to install crypto miners on Windows and Linux systems, the researchers wrote on Twitter. The new version, which the company calls Sysrv-K, adds more exploits to vulnerabilities and can control Web servers.
Sysrv-K scans the Internet for installed vulnerable servers. Vulnerabilities range from path traversal vulnerabilities and unauthorized remote file access to downloading arbitrary files and executing malicious code over the network. These include vulnerabilities in WordPress plugins and the critical Spring Cloud Gateway vulnerability with CVE entry CVE-2022-22947.
The new behavior involves searching WordPress configuration files and their backups in order to access database access data and thus take control of the web server. Like earlier versions, Sysrv-K continues to scan for things like SSH keys, IP addresses, and hostnames to connect to other systems on the network and establish copies of itself.
That’s why IT forensics experts at Microsoft recommend that systems that are exclusively available on the Internet be made available with the updates available very quickly. In addition, IT managers should practice “access hygiene”, that is, activate access only and release it to users who really need it.
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.