Microsoft Warns of Cryptojacking Botnet
Microsoft warns of a new variant that exploits vulnerabilities in web platforms and databases to install cryptocurrency miners on Windows and Linux operating systems. The Srv botnet, newly renamed Sysrv-K is a malware variant that infects Windows and Linux servers with crypto mining malware.
The crypto jacking botnet has been active since the last quarter of 2020 but its activities were discovered in April 2021. The Syskrv-K malware attempts to take advantage of web servers by deploying cryptocurrency miners. it scans the internet to find web servers with various vulnerabilities to install itself.
The vulnerabilities range from path transversal and remote file disclosure, to arbitrary file download and remote code execution vulnerabilities. According to the Microsoft Security Intelligence team, all be vulnerabilities has been address with the implementation of new security updates.
Some of the vulnerabilities found were in CVE-2022-22947 and WordPress plugins. The CVE-2022-22947 is a code injection vulnerability in Spring Cloud Gateway that is known to have high vulnerabilities. it has a CVSS (common vulnerability score) of 10.0.
Due to the frequent abuse of CVE-2022-22947, it was added to the Known Vulnerability Catalog by the U.S Cybersecurity and Infrastructure Security Agency (CISA).
Microsoft Sheds More Light on how the Botnet Works
New behaviors were observed by the Microsoft Intelligence team and they stated in a tweet that a new behavior was observed in Sysrv-K that it scans for WordPress configuration files and their backups to retrieve database credentials.
These two factors are used to gain control of the web server, Sysrv-K has updated communication capabilities, including the ability to use a Telegram bot. They said that Sysrv-K scans for SSH keys, IP addresses and host names before it connects to other systems to deploy copies of itself and thereby putting networks in risk of an attack by the botnet.
The team suggested actions to be taken, they said “We highly recommend organizations secure internet-facing systems, including timely application of security updates and building credential hygiene.”