Headline
New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer
By Deeba Ahmed Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems. The Microsoft… This is a post from HackRead.com Read the original post: New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer
Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems.
The Microsoft Security Intelligence team posted a series of tweets on their official Twitter handle (@MsftSecIntel) to reveal startling details on the new variant of the notorious Sysrv botnet dubbed Sysrv-K.
According to the thread, the new variant exploits vulnerabilities recently identified in the Spring Framework’s API gateway called the Spring Cloud Gateway and WordPress and deploys cryptocurrency miners on Windows and Linux systems.
How does the Botnet work?
According to Microsoft, the botnet first scans the web to identify vulnerable servers and installs itself. The vulnerabilities it looks for include remote file disclosure, remote code execution, path traversal, and arbitrary file download.
The tech giant noted that Sysrv-K exploits numerous old flaws, particularly those identified in WordPress, as well as new vulnerabilities like CVE-2022-22947, which has a CVSS score of 10 and affects the Spring Cloud Gateway and Oracle’s Communications Cloud-Native Core Network Exposure Function.
The vulnerability exposes apps to code injection attacks and allows unauthorized attackers to carry out remote code execution. Interestingly, all these vulnerabilities have patches.
Details of Sysrv and Sysrv-K
The Sysrv botnet has been active since late 2020 and exploits known security flaws in access interfaces to install a Monero crypto miner on compromised Windows and Linux systems. The older version of the botnet targeted databases and web apps, such as Confluence, Jira, MongoDB, Oracle WebLogic, ThinkPHP, Mongo-Express, Drupal, Apache Struts, and Salt-API, reported Juniper in 2021.
The new version comes with a range of new features. Such as it can scan for WordPress configuration files and their backups to extract database credentials. The botnet uses the information to control the webserver.
Additionally, it boasts advanced communication features, including using a Telegram bot. It can scan for SSH keys, hostnames, and IP addresses and spread its copies across the network to infect the entire network and make it a part of its botnet army.
Microsoft Security Intelligence team on Twitter
More Linux and Windows Botnet News
- Old crypto-malware makes come back, hits Windows, Linux devices
- Kraken botnet bypasses Windows Defender to steal crypto wallet data
- HolesWarm crypto-malware hits unpatched Linux and Windows servers
- Beware; Adwind RAT infecting Windows, OS X, Linux and Android Devices
- Linux & Windows hit with disk wiper, ransomware & crypto Xbash malware
How to Stay Safe?
Microsoft suggests that organizations using internet-exposed Linux or Windows systems must install security updates immediately as it is imperative to secure these systems. They must ensure “building credential hygiene” and timely apply security updates.
Related news
This Metasploit module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway versions 3.0.0 through 3.0.6 and 3.1.0. The vulnerability can be exploited when the Gateway Actuator endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL expressions to execute code and take control of the victim machine.
Spring4Shell and Veeam RCE exploit topped the list in Q1 2022
Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.
A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS). "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services
The Sysrv botnet has been developing over the last years, and has become a multi-platform botnet that specializes in Monero cryptomining. The post Sysrv botnet is out to mine Monero on your Windows and Linux servers appeared first on Malwarebytes Labs.
Microsoft researchers say they are tracking a botnet that is leveraging bugs in the Spring Framework and WordPress plugins.
Microsoft is warning of a new variant of the srv botnet that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems. The tech giant, which has called the new version Sysrv-K, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020. "Sysrv-K scans the
Image source: z3r00t The U.S. Cybersecurity and Infrastructure Security Agency on Monday added two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. Tracked as CVE-2022-30525, the vulnerability is rated 9.8 for severity and relates to a command injection flaw
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.