The operators of the Sysrv botnet are abusing vulnerabilities in WordPress and the Spring Framework to launch attacks against Linux and Windows servers, Microsoft has warned.
In a Twitter thread, researchers from the Microsoft Security Intelligence team explained that a new variant of the botnet, dubbed Sysrv-K, is being used to deploy cryptominers and other malware onto target systems.
The exploit relies on a chain of vulnerabilities (including CVE-2022-22947 and CVE-2022-22947) that have already been fixed, but are still present in systems that have not yet been updated.
New botnet capabilities
The recent spate of attacks has been made possible by new facilities introduced to the Sysrv botnet that help actively hunt down vulnerable servers and kill off any competing malware present on a target system.
Once inside, Sysrv-K also spreads itself throughout a network using a combination of stolen credentials and brute-force password stuffing attacks, Microsoft says.
“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” explained the threat intelligence team.
“A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server.”
The best way to shield against attacks launched via the Sysrv botnet is to establish an effective patch management policy that allows for vulnerable systems to be updated as swiftly as possible, and to ensure strong account credentials and two-factor authentication are in place across the board.
“We highly recommend organizations to secure internet-facing systems, including timely application of security updates and building credential hygiene,” wrote Microsoft, before seizing the opportunity to plug its own endpoint protection software, which is said to shield against all Sysrv variants.
