‘Sysrv’ Botnet Targeting Recent Spring Cloud Gateway Vulnerability

A new variant of the Sysrv botnet has added a recent Spring Cloud Gateway vulnerability to its exploit portfolio, Microsoft warns.

The Sysrv botnet has been active since at least late 2020, looking to exploit known security bugs in access interfaces in order to compromise Windows and Linux systems and install a Monero cryptominer on them.

Sysrv was previously seen targeting web apps and databases, including MongoDB, Jira, Confluence, Drupal, ThinkPHP, Salt-API, Apache Struts, Mongo-Express, and Oracle WebLogic, among others.

The botnet scans the internet to identify vulnerable web servers it can compromise. Although patches exist for all of the targeted vulnerabilities, the victim servers have yet to be patched, it seems.

According to Microsoft Security Intelligence, a recently observed variant of the botnet, which is dubbed Sysrv-K, has expanded the portfolio of exploits.

“We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers,” Microsoft tweeted.

The targeted vulnerabilities, the tech giant says, include file download and file disclosure, path traversal, and remote code execution flaws.

“These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947,” the company says.

CVE-2022-22947 (CVSS score of 10) is a critical vulnerability in Spring Cloud Gateway – an API gateway based on the popular Spring Framework – that exposes applications to code injection attacks, allowing unauthenticated, remote attackers to achieve remote code execution.

According to Microsoft, Sysrv-K would also scan for WordPress configuration files and for their backups, in an attempt to extract database credentials and take over the web server. Moreover, the botnet packs updated communication capabilities, such as support for Telegram.

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” Microsoft notes.

To mitigate the risks posed by this botnet, organizations are advised to secure all of their internet-facing systems by installing available security patches in a timely manner and by applying security best practices.

Related: Spring4Shell Vulnerability Exploited by Mirai Botnet

Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers

Related: All About the Bots: What Botnet Trends Portend for Security Pros