Security researchers employed by Microsoft have recently spotted a variant of the Sysrv botnet. They have dubbed the new variant Sysrv-K.
This new variant works in two ways. First, it exploits a flaw in the Spring Cloud Gateway that allows remote code execution (tracked as CVE-2022-22947). Second, the botnet scans the web for WordPress plugins with older, unpatched vulnerabilities.
Of significance, this variant of the botnet can take control of web servers, which makes it dangerous indeed.
Additionally, Sysrv-K contains new features that the original Sysrv botnet lacked. These include exploits for six different Remote Code Execution vulnerabilities that target the ThinkPHP framework, Drupal CMS, the VMware products XML-RPC, XXL-Job, SaltStack, as well as MongoDB's Mongo Express admin interface.
Microsoft's researchers had this to say about their recent discovery:
“A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server. Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot.
Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet.”
Sysrv-K constitutes a significant threat if you rely on any of the code mentioned above. Be sure your IT Security staff is aware of this new threat so they can prepare for and guard against it.
Sadly, one thing we know for sure about 2022 is that this won't be the last serious threat we are forced to bring to your attention in a bid to shed light on the latest activities in the hacking world. Stay vigilant out there.