A new variant of the Sysrv botnet has added a recent Spring Cloud Gateway vulnerability to its exploit portfolio, Microsoft warns.
The Sysrv botnet has been active since at least late 2020, looking to exploit known security bugs in access interfaces in order to compromise Windows and Linux systems and install a Monero cryptominer on them.
Sysrv was previously seen targeting web apps and databases, including MongoDB, Jira, Confluence, Drupal, ThinkPHP, Salt-API, Apache Struts, Mongo-Express, and Oracle WebLogic, among others.
The botnet scans the internet to identify vulnerable web servers it can compromise. Although patches exist for all of the targeted vulnerabilities, the victim servers have yet to be patched, it seems.
According to Microsoft Security Intelligence, a recently observed variant of the botnet, which is dubbed Sysrv-K, has expanded the portfolio of exploits.
“We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers,” Microsoft tweeted.
The targeted vulnerabilities, the tech giant says, include file download and file disclosure, path traversal, and remote code execution flaws.
“These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947,” the company says.
CVE-2022-22947 (CVSS score of 10) is a critical vulnerability in Spring Cloud Gateway – an API gateway based on the popular Spring Framework – that exposes applications to code injection attacks, allowing unauthenticated, remote attackers to achieve remote code execution.
According to Microsoft, Sysrv-K would also scan for WordPress configuration files and for their backups, in an attempt to extract database credentials and take over the web server. Moreover, the botnet packs updated communication capabilities, such as support for Telegram.
“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” Microsoft notes.
To mitigate the risks posed by this botnet, organizations are advised to secure all of their internet-facing systems by installing available security patches in a timely manner and by applying security best practices.
Related: Spring4Shell Vulnerability Exploited by Mirai Botnet
Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers
Related: All About the Bots: What Botnet Trends Portend for Security Pros

More from Ionut Arghire
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- GitHub Rotates Publicly Exposed RSA SSH Private Key
Latest News
- Mandiant Catches Another North Korean Gov Hacker Group
- Microsoft Puts ChatGPT to Work on Automating Cybersecurity
- Video: How to Build Resilience Against Emerging Cyber Threats
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- SecurityScorecard Guarantees Accuracy of Its Security Ratings
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
