"'Sysrv' Botnet Targeting Recent Spring Cloud Gateway Vulnerability"

Security researchers at Microsft are warning that a new variant of the Sysrv botnet has added a recent Spring Cloud Gateway vulnerability to its exploit portfolio.  The Sysrv botnet has been active since at least late 2020, looking to exploit known security bugs in access interfaces in order to compromise Windows and Linux systems and install a Monero cryptominer on them.  The researchers stated that Sysrv was previously seen targeting web apps and databases, including MongoDB, Jira, Confluence, Drupal, ThinkPHP, Salt-API, Apache Struts, Mongo-Express, and Oracle WebLogic, among others.  The researchers noted that the botnet scans the internet to identify vulnerable web servers it can compromise.  Although patches exist for all of the targeted vulnerabilities, the researchers stated that the victim servers have yet to be patched.  The researchers recently observed that a new variant of the botnet, which is dubbed Sysrv-K, has expanded the portfolio of exploits.  The targeted vulnerabilities include file download and file disclosure, path traversal, and remote code execution flaws.  The researchers noted that these vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins and newer vulnerabilities like CVE-2022-22947.  According to Microsoft, Sysrv-K would also scan for WordPress configuration files and their backups to extract database credentials and take over the webserver.  Moreover, the botnet packs updated communication capabilities, such as support for Telegram.  Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself.  This could put the rest of the network at risk of becoming part of the Sysrv-K botnet.  The researchers stated that to mitigate the risks posed by this botnet, organizations are advised to secure all of their internet-facing systems by installing available security patches in a timely manner and by applying security best practices.

SecurityWeek reports: "'Sysrv' Botnet Targeting Recent Spring Cloud Gateway Vulnerability"