Operators of the Sysrv botnet are abusing vulnerabilities in WordPress and the Spring Framework to launch attacks against Linux and Windows servers, Microsoft warned.
In a Twitter thread, researchers from the Microsoft Security Intelligence team explained that a new variant of the botnet, dubbed Sysrv-K, is used to deploy cryptominers and other malware on target systems.
The exploit is based on a chain of vulnerabilities (including CVE-2022-22947 and CVE-2022-22947) that have already been patched, but are still present on systems that have not yet been updated.
New botnet capabilities
The recent wave of attacks was made possible by new features introduced to the Sysrv botnet that help actively track down vulnerable servers and remove any competing malware present on a targeted system.
Once inside, Sysrv-K also spreads through a network using a combination of stolen credentials and brute force password stuffing attacks, Microsoft says.
"Like previous variants, Sysrv-K looks up SSH keys, IP addresses, and hostnames, then attempts to connect to other systems on the network via SSH to deploy copies of itself. This could expose the rest of the network at risk of becoming part of the Sysrv-K botnet,” the threat intelligence team explained.
"A new behavior seen in Sysrv-K is that it searches WordPress configuration files and their backups to retrieve the database credentials, which it uses to take control of the web server."
The best way to protect against attacks launched via the Sysrv botnet is to establish an effective patch management policy that allows vulnerable systems to be updated as quickly as possible, and to ensure that strong account systems and user authentication are in place. two factors with the proper credentials. all levels. .
"We urge organizations to protect systems accessible via the Internet, including the timely application of security updates and the hygiene of build credentials," Microsoft wrote, before seizing the opportunity to connect its own point protection software. finals, which is supposed to protect against all variants of Sysrv.