Microsoft has once again alerted users about a new Sysrv botnet variant that targets web servers. The new variant exploits bugs in the target databases and then gains complete control of them.
Microsoft Warns Of Sysrv Botnet Variant
In a recent Twitter thread, Microsoft Security Intelligence has elaborated on the new Sysrv botnet variant.
As explained, they discovered the new botnet variant, identified as “Sysrv-K,” targeting databases and web apps for cryptomining. For this, purpose, Sysrv-K exploits different vulnerabilities to take control of the target device. These exploits can range from path traversal bugs to remote code execution flaws. It then installs “coin miners” on the system, and executes other malicious activities.
Notably, this new botnet exhibits advanced capabilities, and can target Windows and Linux systems alike.
Besides exploiting the bugs in web apps and databases, the new variant also scans for WordPress plugin vulnerabilities. This behavior expands the attack surface for the adversaries to drop the crypto malware. Also, it scans the databases to retrieve credentials, hence exhibiting data-staling functionalities. Also, it has evolved communication capability.
A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server. Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot.
— Microsoft Security Intelligence (@MsftSecIntel) May 13, 2022
Explaining further, Microsoft stated that the information Sysrv-K scans for include IP addresses, SSH keys, and host names. The malware also tries to replicate itself to other connected systems on the target network via SSH. In this way, it strives to take control of the entire network, transforming it into a crypto mining botnet.
Although, Microsoft confirmed having patched the vulnerabilities (including CVE-2022-22947) in January 2020 that Sysrv-K could exploit when targeting a system. Nonetheless, the tech giant urges users, especially organizations, to remain careful. Given how users often fail to promptly update their systems, such attacks can easily happen despite patches being available.
Besides, Microsoft recommends businesses protect their “internet-facing” systems and implement “credential hygiene”.
Let us know your thoughts in the comments.