Microsoft warns: This botnet has new tricks targeting Linux and Windows systems

Microsoft warns that a new variant of the Sysrv botnet is targeting a critical flaw in the Spring Framework for installing cryptocurrency mining malware on Linux and Windows systems.

Microsoft researchers have discovered a new variant of Sysrv called Sysrv-K and have scanned the Internet for WordPress plugins that contain old vulnerabilities and recently published Remote Code Execution (RCE) flaws. rice field. Spring Cloud Gateway software tagged as CVE-2022-22947..

Affected defects VMware’s Spring Cloud Gateway When Oracle’s Communications Cloud Native Core Network Exposure Feature And it was given critical reviews by both companies.

Sysrv-K can take control of the web server. Microsoft Security Intelligence warned.. Botnets scan the Internet to identify web servers and use various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads, and remote code execution. When the malware runs on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner.

Sysrv-K contains new features for the old variant. Juniper in April 2021 report Sysrv is bundled with six RCE vulnerability exploits that affect the installation of MongoDB’s Mongo Express management interface, ThinkPHP PHP framework, Drupal CMS, VMware-owned SaltStack, XXL-JOB and XML-RPC projects. I did. There were also exploits for the PHP frameworks Laravel, Oracle Weblogic, Atlassian Confluence Server, Apache Solr, PHPUnit, Jboss Application Server, Apache Hadoop, Jenkins, Jupyter Notebook Server, Sonatupe Nexus Repository Manager, Tomcat Manager, and WordPress.

The two functions of the malware were to scan the internet for vulnerable systems, install the XMRig cryptocurrency miner and mine Monero to spread it throughout the network. However, Microsoft warns that it is now possible to capture database credentials as well to control the infected web server.

“The new behavior observed with Sysrv-K is to scan the WordPress configuration file and its backup to get database credentials and use it to gain control of the web server. Sysvr-K is a telegram. Bot “.

“Like the old variant, Sysrv-K scans for SSH keys, IP addresses, hostnames, connects to other systems in the network via SSH, and attempts to deploy its own copy. , The rest of the network can be compromised. It will be part of the Sysrv-K botnet. ”

Microsoft has warned organizations to protect systems connected to the Internet, apply security updates, and protect their credentials.

Source link