Quick News Bit

Microsoft warns: This botnet has new tricks to target Linux and Windows systems | ZDNet

0

Microsoft has warned that a new variant of the Sysrv botnet is targeting a critical flaw in the Spring Framework to install cryptocurrency mining malware on Linux and Windows systems. 

Microsoft researchers spotted a new variant of Sysrv, which it calls Sysrv-K, scanning the internet for WordPress plugins with older vulnerabilities as well as a recently disclosed remote code execution (RCE) flaw in the Spring Cloud Gateway software tagged as CVE-2022-22947.  

The flaw affected VMware’s Spring Cloud Gateway and Oracle’s Communications Cloud Native Core Network Exposure Function and was given a critical rating by both firms. 

Sysrv-K can can gain control of web servers, Microsoft Security Intelligence warned. The botnet scans the internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads and remote code execution. Once the malware is running on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner.

Sysrv-K contains new features from older variants. Juniper in April 2021 reported Sysrv was bundled with exploits for six RCE vulnerabilities affecting installations of MongoDB’s Mongo Express admin interface, the ThinkPHP PHP framework, the Drupal CMS, VMware-owned SaltStack, and the XXL-JOB and XML-RPC projects. It also had exploits exploits for PHP framework Laravel, Oracle Weblogic, Atlassian Confluence Server, Apache Solr, PHPUnit, Jboss Application Server, Apache Hadoop, Jenkins, Jupyter Notebook Server, Sonatupe Nexus Repository Manager, Tomcat Manager, and WordPress. 

The malware’s two functions were to spread itself across network by scanning the internet for vulnerable systems and installing the XMRig cryptocurrency miner to mine Monero. But Microsoft warns it can now also capture database credentials to control an infected web server.  

“A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server. Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot,” Microsoft Security Intelligence said. 

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” it added. 

Microsoft warned organizations to secure internet-facing systems, apply security updates and protect credentials. 

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! NewsBit.us is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.

Leave a comment