Microsoft Warns A Sinister Crypto Mining Botnet Is Actively Enslaving Windows And Linux
No one in computer security can catch a break lately, it seems, as yet another two major cybersecurity flaws have been found related to web servers.
Named Sysrv-K by security researchers on Microsoft's Security Intelligence Twitter, te vulnerabilities install botnets, which will run a crypto-coin miner on infected devices. However, the method of distribution is particularly nasty and can definitely be prolific.
What Sysrv-K will do is scan the internet for web servers or exposed web servers with security holes. Assuming it finds those holes it takes advantage of them to install itself and turn on that crypto miner, which uses massive amounts of system resources. Not particularly great for anyone on a pay-as-you-go cloud system.
Additional to this behavior, it will also look through WordPress configuration files and backups to find credentials. It even will look for SSH keys, IP addresses, hostnames and more. Once it receives this data it can potentially send a message out to someone via the Telegram app.
We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers.— Microsoft Security Intelligence (@MsftSecIntel) May 13, 2022
Additionally the Sysrv-K can attempt to connect itself to other servers and devices on the network and through its scans outside of the network. That effectively also makes this an outright virus by base definition (any software that duplicates itself). That means there's a possibility of network infection, and datacenter infection.
Some of what the exploits on the Wordpress side do is related to plugins that might use certain utilities if not kept up to date properly. On the other side of vulnerabilities this takes advantage of spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ as described in CVE-2022-22947.
Linux Command Line apt Update
The issues are severe enough that even the US Government has taken notice, adding them to the list of known vulnerabilities at the CISA (Cybersecurity & Infrastructure Security Agency). Microsoft has specifically advised users and sysadmins to secure any internet-facing systems, make sure any software that need updated are, and double check credential hygiene.
All best practices, of course as of Patch Tuesday this month some Microsoft servers are kind of having problems with credentialing. It, of course, points out that its own endpoint management software, Microsoft Defender for Endpoint, does detect this botnet, though it won't be long before other endpoint monitoring software will catch it as well due to the severity.