BleepingComputer reports that Windows and Linux servers are being infected by cryptomining malware by a new Sysrv botnet variant, tracked as Sysrv-K, which has been abusing security flaws in WordPress and the Spring Framework.
Sysrv-K features new exploits and capabilities not seen in the original Sysrv botnet, including the ability to scan for vulnerable Spring and WordPress implementations, as well as the exploitation of numerous security bugs, according to the Microsoft Security Intelligence Team.
"These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947," said the Microsoft Security Intelligence team in a tweet.
WordPress configuration files and backups are being targeted by Sysrv-K for database credential theft, with the stolen data leveraged for eventual web server takeovers, researchers said.
Alibaba Cloud security researchers first identified the Sysrv botnet in February 2021, with the botnet found to have exploited web app and database vulnerabilities to infect servers with Monero miners and self-spreading malware.