The Microsoft Security researchers found the new Sysrv variant, which the company has named Sysrv-k. This variant was spotted while scanning online for WordPress plugins with existing vulnerabilities. The botnet was also targeting a recently found remote code execution (RCE) vulnerability in the Spring Cloud Gateway (CVE-2022-22947) This is a bug in VMware’s Spring Cloud Gateway and also the Communications Cloud Native Core Network Exposure tool from Oracle. Security researchers with both organizations have given this flaw a critical rating. Sysrv-K is especially dangerous because it can get control of web servers. In a blog post, Microsoft Security Intelligence says the botnet scours the internet to find vulnerabilities in web servers. It targets bugs through remote code execution, arbitrary file downloads, and other methods.
— Microsoft Security Intelligence (@MsftSecIntel) May 13, 2022
Attack
When the botnet works and the malware installs on a Windows or Linux, the botnet places the cryptocurrency miner. Microsoft explains how Syrsv-K can copy itself to spread the attack: “Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet.” Microsoft tells organizations to update their systems: “We highly recommend organizations to secure internet-facing systems, including timely application of security updates and building credential hygiene. Microsoft Defender for Endpoint detects Sysrv-K and older Sysrv variants, as well as related behavior and payloads.” Tip of the day: Did you know that you can assign keyboard shortcuts for starting applications quickly in Windows 11 and Windows 10? This is a great way to have your most used programs always at your fingertips. In our tutorials we show you how to set those hotkeys for your favorite apps.