The Spring Framework and WordPress plugins are used by millions of people worldwide. However, these plugins have particular unpatched vulnerabilities. The cybercriminals behind the Sysrv botnet have found new ways of exploiting these vulnerabilities to target Windows and Linux users.
Their motivation? To infect Linux and Windows systems with crypto mining software. The new botnet variant, Sysrv-K, was programmed to search and identify potential flaws in WordPress plugins and recent remote code execution (RCE) flaw in the Spring Cloud Gateway (CVE-2022-22947).
A New Syrv Botnet Variant
The Microsoft Security Intelligence team informed the public in a recent tweet about the botnet threat. According to them, recent security updates have addressed these new-found vulnerabilities and old ones. However, the risk of getting infected is still there.
The Spring Cloud is an open-source library that has the role of easing the process of developing JVM applications for the cloud. The Spring Cloud Gateway provides a library in the scope of building API Gateways for Spring and Java.
The CVE-2022-22947 is a code injection vulnerability in the Spring Cloud Gateway library. An attacker can use it to perform remote code execution on unpatched hosts. This flaw negatively affected the VMware and Oracle products, and both vendors are using their efforts to remedy the issues.
How Sysrv-K Bonet Acts
According to the Microsoft Security Intelligence team, the Sysrv-K botnet is a severe threat. It can take control of web servers. It does this by scanning the internet for any vulnerability that can allow it to install itself.
Such vulnerabilities might include RCE, arbitrary file download, path traversal, and remote file disclosure. Both security research companies Lacework Labs and Juniper Threat Labs noticed two primary malware components.
The malware stands out in finding potential vulnerabilities by scanning the web. And it installs the XMRig cryptocurrency miner on potential victims’ PCs to mine the Monero cryptocurrency.
Sysrv-K’s new feature allows itself to scan for WordPress config files and their backups. It uses them to steal credentials and access the webserver. The botnet also has updated communication capabilities. For example, it can now use a Telegram bot, as stated by Microsoft.
Once the intrusion is established, any network may become part of the Sysrv-K botnet. Like the older Sysrv-K variants, it can scan for SSH keys, IP addresses, and even hostnames. The botnet then connects to other systems in the network through SSH, if it can, and deploy copies of itself to other unsuspecting victims.
How to Protect Yourself From Sysrv and Other Botnets
According to Microsoft, organizations should secure-internet-facing Linux or Windows systems. Individuals and companies should focus on implementing security updates and protecting their credentials. Microsoft stated that their Microsoft Defender for Endpoint could detect Sysrv-K and older variants. However, there are other ways you can defend yourself from botnets and malware. Here is how!
Use a VPN
Companies and individuals should consider using a VPN for their Windows and Linux PCs. A VPN can significantly boost your cybersecurity and protect your network or network intrusions from other infected systems.
A VPN is a virtual private network that hides your actual IP address and encrypts your online data. Have you ever wondered, “what is my IP”?, your unique address is to identify your device on the internet or local network?
When you use a VPN, you will see your “fake IP” on the software. This fake IP replaces your real one, deterring would-be attackers. With a VPN, you can also change your geo-location, and thus IP, from other parts of the world.
This way, hackers and cybercriminal software won’t be able to find you. Some VPN providers have additional cybersecurity tools to help you out, such as the threat protection or killswitch feature. Threat protection, for example, neutralizes threats before having a chance to take a shot at your PC’s security.
Don’t Update Just Your OS
Updates are very important for your security. However, you shouldn’t update just your OS. Even software that you use can become outdated and become vulnerable. You should thus update everything on your PC periodically.
Two Factor Authentication
Some passwords are easily broken, while other PC users implement a secondary layer of protection. Having a strong password is essential in both cases, and if you use two-factor authentication, your PC will be more protected. You should also use a password manager if you struggle to remember complex passwords.
Use Premium Antiviruses
Any PC should have a good antivirus installed. Antiviruses are constantly updated to deal with the latest threats. Don’t use free antiviruses as they won’t be efficient enough to deal with the newest online threats.
