Microsoft has issued a warning about a new version of the srv botnet, which is exploiting several vulnerabilities in web applications and databases. The vulnerability can lead to the installation of coin miners on both Windows and Linux systems.
The tech giant, labelled the new variant Sysrv-K, said the botnet can weaponise an array of exploits to seize control of web servers. The crypto-jacking botnet was first reported in December 2020.
“Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself,” the company said in a series of tweets. “The vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities.”
It includes CVE-2022-22947 (CVSS score: 10.0), a code injection flaw in Spring Cloud Gateway that can lead to arbitrary remote execution on a remote host via a maliciously crafted request.
The U.S. cybersecurity and infrastructure Security Agency, in the light of the exploitation of CVE-2022-22947, has added the flaw to its Known Exploited Vulnerabilities Catalog.
The core difference is that Sysrv-K scans for WordPress configuration files and their backups to obtain database credentials, which are then used to take control of web servers. It has also improved its command-and-control communication to utilise a Telegram Bot.
Once infected, the SSH keys allow lateral movement on the victim machine to plant copies of the malware to other systems and expand the botnet’s size, which may jeopardise the entire network.
“The Sysrv malware takes advantage of known vulnerabilities to spread their Cryptojacking malware,” Lacework Labs researchers noted last year. “Ensuring public facing applications are kept up to date with the latest security patches is critical to avoid opportunistic adversaries from compromising systems.”
Besides securing internet-exposed servers, Microsoft is additionally advising organizations to apply security updates in a timely fashion and build credential hygiene to reduce risk.