Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

‘Sysrv’ Botnet Targeting Recent Spring Cloud Gateway Vulnerability

A new variant of the Sysrv botnet has added a recent Spring Cloud Gateway vulnerability to its exploit portfolio, Microsoft warns.

The Sysrv botnet has been active since at least late 2020, looking to exploit known security bugs in access interfaces in order to compromise Windows and Linux systems and install a Monero cryptominer on them.

A new variant of the Sysrv botnet has added a recent Spring Cloud Gateway vulnerability to its exploit portfolio, Microsoft warns.

The Sysrv botnet has been active since at least late 2020, looking to exploit known security bugs in access interfaces in order to compromise Windows and Linux systems and install a Monero cryptominer on them.

Sysrv was previously seen targeting web apps and databases, including MongoDB, Jira, Confluence, Drupal, ThinkPHP, Salt-API, Apache Struts, Mongo-Express, and Oracle WebLogic, among others.

The botnet scans the internet to identify vulnerable web servers it can compromise. Although patches exist for all of the targeted vulnerabilities, the victim servers have yet to be patched, it seems.

According to Microsoft Security Intelligence, a recently observed variant of the botnet, which is dubbed Sysrv-K, has expanded the portfolio of exploits.

“We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers,” Microsoft tweeted.

The targeted vulnerabilities, the tech giant says, include file download and file disclosure, path traversal, and remote code execution flaws.

“These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947,” the company says.

Advertisement. Scroll to continue reading.

CVE-2022-22947 (CVSS score of 10) is a critical vulnerability in Spring Cloud Gateway – an API gateway based on the popular Spring Framework – that exposes applications to code injection attacks, allowing unauthenticated, remote attackers to achieve remote code execution.

According to Microsoft, Sysrv-K would also scan for WordPress configuration files and for their backups, in an attempt to extract database credentials and take over the web server. Moreover, the botnet packs updated communication capabilities, such as support for Telegram.

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” Microsoft notes.

To mitigate the risks posed by this botnet, organizations are advised to secure all of their internet-facing systems by installing available security patches in a timely manner and by applying security best practices.

Related: Spring4Shell Vulnerability Exploited by Mirai Botnet

Related: Russia-Linked Cyclops Blink Botnet Attacking ASUS Routers

Related: All About the Bots: What Botnet Trends Portend for Security Pros

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.