Monero-mining botnet targets Windows, Linux web servers

Sysrv-K malware infects unpatched tin, Microsoft warns


The latest variant of the Sysrv botnet malware is menacing Windows and Linux systems with an expanded list of vulnerabilities to exploit, according to Microsoft.

The strain, which Microsoft's Security Intelligence team calls Sysrv-K, scans the internet for web servers that have security holes, such as path traversal, remote file disclosure, and arbitrary file download bugs, that can be exploited to infect the machines.

The vulnerabilities, all of which have patches available, include flaws in WordPress plugins such as the recently uncovered remote code execution hole in the Spring Cloud Gateway software tracked as CVE-2022-22947 that Uncle Sam's CISA warned of this week.

Once running on a compromised system, Sysrv-K deploys a Monero cryptocurrency miner, which will siphon compute resources from the system to generate digicash. It can also rifle through WordPress files on compromised machines to take control of web server software, and use Telegram as a communications channel, Microsoft warned.

"A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server," the Microsofties wrote in a series of tweets. "Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot."

Sysrv-K, like previous variants, also scans for SSH keys, IP addresses, and host names on infected machines so that it can use this information to spread via SSH connections. The researchers warned that these invaded systems can be rolled into a remote-controlled botnet relatively easily.

"We highly recommend organizations to secure internet-facing systems, including timely application of security updates and building credential hygiene," they wrote, adding that their Microsoft Defender for Endpoint, natch, detects both Sysrv-K and older variants as well as related behavior and payloads.

A quick study

Sysrv was spotted in December 2020, and has evolved rapidly since. In a blog post in the fall, Dorka Palotay, senior threat researcher with cybersecurity vendor Cujo AI, noted that the worm and cryptominer malware has undergone several iterations.

One way that it stood out was the use of the Go programming language, which brings with it easy cross-compilation capabilities – it has a single code base that can output executables for disparate architectures – and its large file size makes the binaries a pain to reverse engineer, Palotay wrote.

"At its core, Sysrv is a worm and a cryptocurrency miner," she wrote. "The two modules were in separate files in its early versions, but its developers have since combined the two. The worm module simply initiates port scans against random IPs to find vulnerable Tomcat, WebLogic, and MySQL services and tries to infiltrate the servers with a hard-coded password dictionary attack."

As the botnet evolved, more exploit code was added to enhance its worm capabilities. The malware starts with a simple script file that deploys modules of exploits against potentially vulnerable targets.

"People used to say that Linux was free from malware," Palotay wrote. "Well, not only was it not true for the past 25 years, but we now live in an age where Linux is as promising a target for threat actors as some Windows endpoints due to its widespread usage as an operating system across many organizations. And, even more importantly, it serves as the OS for popular Internet-of-Things devices."

She listed more than two dozen Sysrv exploits that are useful against a range of software suites, including Jboss, Adobe ColdFusion, Atlassian Confluence and Jira, various Apache tools, and Oracle WebLogic.

"Sysrv included a small set of exploits in its initial campaigns. Over time, as it was developed and transformed, Sysrv continually incorporated new exploits to spread more effectively," Palotay wrote.

"Interestingly, we not only saw exploits being added to the code, but also some specific exploits undergoing several development stages. Sysrv's developers updated some functions in multiple samples until they either reached a satisfying result or simply got rid of them. Some exploits were used only in one or two samples, while others proved useful and stuck around." ®


Other stories you might like

  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Google location tracking to forget you were ever at that medical clinic
    Plus: Cyber-mercenaries said to target legal world, backdoor found on web servers, and more

    In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.

    In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.

    Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading

Biting the hand that feeds IT © 1998–2022