Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

‘Sysrv’ Botnet Targeting Recent Spring Cloud Gateway Vulnerability

A new variant of the Sysrv botnet has added a recent Spring Cloud Gateway vulnerability to its exploit portfolio, Microsoft warns.

The Sysrv botnet has been active since at least late 2020, looking to exploit known security bugs in access interfaces in order to compromise Windows and Linux systems and install a Monero cryptominer on them.

A new variant of the Sysrv botnet has added a recent Spring Cloud Gateway vulnerability to its exploit portfolio, Microsoft warns.

The Sysrv botnet has been active since at least late 2020, looking to exploit known security bugs in access interfaces in order to compromise Windows and Linux systems and install a Monero cryptominer on them.

Sysrv was previously seen targeting web apps and databases, including MongoDB, Jira, Confluence, Drupal, ThinkPHP, Salt-API, Apache Struts, Mongo-Express, and Oracle WebLogic, among others.

The botnet scans the internet to identify vulnerable web servers it can compromise. Although patches exist for all of the targeted vulnerabilities, the victim servers have yet to be patched, it seems.

According to Microsoft Security Intelligence, a recently observed variant of the botnet, which is dubbed Sysrv-K, has expanded the portfolio of exploits.

“We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers,” Microsoft tweeted.

The targeted vulnerabilities, the tech giant says, include file download and file disclosure, path traversal, and remote code execution flaws.

“These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947,” the company says.

CVE-2022-22947 (CVSS score of 10) is a critical vulnerability in Spring Cloud Gateway – an API gateway based on the popular Spring Framework – that exposes applications to code injection attacks, allowing unauthenticated, remote attackers to achieve remote code execution.

According to Microsoft, Sysrv-K would also scan for WordPress configuration files and for their backups, in an attempt to extract database credentials and take over the web server. Moreover, the botnet packs updated communication capabilities, such as support for Telegram.

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” Microsoft notes.

To mitigate the risks posed by this botnet, organizations are advised to secure all of their internet-facing systems by installing available security patches in a timely manner and by applying security best practices.

Related: Spring4Shell Vulnerability Exploited by Mirai Botnet

Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers

Related: All About the Bots: What Botnet Trends Portend for Security Pros

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.