Microsoft’s IT security experts observed the Sysrv botnet and discovered a new version. This clearly attacks the security gaps for which updates are already available. After a successful break-in, cybercriminals mined cryptocurrencies on compromised machines.
The researchers write on Twitter that the Sysrv botnet is known to abuse known vulnerabilities in web apps and databases to install crypto miners on Windows and Linux systems. The new version, which the company calls Sysrv-K, adds more exploits to vulnerabilities and can control Web servers.
Sysrv-K scans the Internet for installed vulnerable servers. Vulnerabilities range from path traversal vulnerabilities and unauthorized remote file access to downloading arbitrary files and executing malicious code over the network. These include vulnerabilities in WordPress plugins and the critical Spring Cloud Gateway vulnerability with CVE entry CVE-2022-22947.
New behaviors include searching WordPress configuration files and their backups to obtain database access data and thus take control of the web server. Like earlier versions, Sysrv-K continues to scan for things like SSH keys, IP addresses, and hostnames to connect to other systems on the network and establish copies of itself.
That’s why IT forensics experts at Microsoft recommend that systems that are exclusively available on the Internet be made available with the updates available very quickly. In addition, IT managers should practice “access hygiene”, that is, activate access only and release it to users who really need it.