logo
DATABASE RESOURCES PRICING ABOUT US

New Sysrv Botnet Variant Hijacking Windows and Linux with Crypto Miners

Description

[![srv botnet](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEicZ3YCqRUQhUZkpqbOdBQhVsgIeNcHh1FbdjTs_6yJWhzD84fQd-AX9EMJ9IQBzfUPW7ncPd_Cd15TrK0wldMRabU5qAKxZFXl3P-q3fNKZSSk3W8I8z_xZJDtHdwzN-eaA8LMpCwQd7HsTySNS-tKSGZWS5-YqYIbpL4MQXUGchl_0U7SrPKCB0U_/s728-e1000/iot-botnet-malware.png)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEicZ3YCqRUQhUZkpqbOdBQhVsgIeNcHh1FbdjTs_6yJWhzD84fQd-AX9EMJ9IQBzfUPW7ncPd_Cd15TrK0wldMRabU5qAKxZFXl3P-q3fNKZSSk3W8I8z_xZJDtHdwzN-eaA8LMpCwQd7HsTySNS-tKSGZWS5-YqYIbpL4MQXUGchl_0U7SrPKCB0U_/s728-e100/iot-botnet-malware.png>) Microsoft is warning of a new variant of the **srv botnet** that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems. The tech giant, which has called the new version **Sysrv-K**, is said to weaponize an [array of exploits](<https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence>) to gain control of web servers. The cryptojacking botnet first emerged in December 2020. "Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself," the company [said](<https://twitter.com/MsftSecIntel/status/1525158219206860801>) in a series of tweets. "The vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities." This also includes [CVE-2022-22947](<https://tanzu.vmware.com/security/cve-2022-22947>) (CVSS score: 10.0), a code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host via a maliciously crafted request. It's worth noting that the abuse of CVE-2022-22947 has prompted the U.S. Cybersecurity and Infrastructure Security Agency to add the flaw to its [Known Exploited Vulnerabilities Catalog](<https://thehackernews.com/2022/05/watch-out-hackers-begin-exploiting.html>). A key differentiator is that Sysrv-K scans for WordPress configuration files and their backups to fetch database credentials, which are then used to hijack web servers. It's also said to have upgraded its command-and-control communication functions to make use of a [Telegram Bot](<https://thehackernews.com/2022/05/researchers-warn-of-eternity-project.html>). Once infected, lateral movement is facilitated through [SSH keys](<https://en.wikipedia.org/wiki/Secure_Shell>) available on the victim machine to deploy copies of the malware to other systems and grow the botnet's size, effectively putting the entire network at risk. "The Sysrv malware takes advantage of known vulnerabilities to spread their Cryptojacking malware," Lacework Labs researchers [noted](<https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/>) last year. "Ensuring public facing applications are kept up to date with the latest security patches is critical to avoid opportunistic adversaries from compromising systems." Besides securing internet-exposed servers, Microsoft is additionally advising organizations to apply security updates in a timely fashion and build credential hygiene to reduce risk. Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.


Related