Search This Blog

Showing posts with label Exploited Device. Show all posts

New Version of 'Sysrv' Botnet is Targeting Windows and Linux Servers

 

Microsoft recently unearthed a new version of the Sysrv botnet, tracked as Sysrv-K, capable of abusing bugs in WordPress and Spring Framework to install crypto-mining malware on vulnerable Windows and Linux servers. The variant has been upgraded with multiple features, including scanning for unpatched WordPress and Spring deployments. 

"The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers" by exploiting various vulnerabilities, the Microsoft Security Intelligence team tweeted. These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins as well as newer vulnerabilities like CVE-2022-22947." 

CVE-2022-22947 (CVSS score of 10) is a code injection critical vulnerability in Spring Cloud Gateway that exposes applications to code injection assaults, allowing unauthenticated, remote attackers to achieve remote code execution. 
 
Sysrv-K scans for WordPress configuration files for their backups, in an attempt to steal database credentials and take over the webserver. Moreover, the botnet packs updated communication capabilities, such as support for Telegram. 

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and hostnames, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” the Microsoft team added. 

The botnet has been active since at least December 2020, but its activity was documented in April 2021 by multiple security researchers. Sysrv-K secures control of web servers by scanning the internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads, and remote code execution. Once the malware runs on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner. 

After killing competing cryptocurrency miners and deploying its own payloads, the botnet auto-spreads over the network via brute force attacks using SSH private keys collected from various locations on infected servers (e.g., bash history, ssh config, and known_hosts files). 

Subsequently, the botnet aggressively scans the Internet for more vulnerable Windows and Linux systems to add to its army of Monero mining bots. To mitigate the risks, organizations are recommended to secure all of their internet-facing systems by installing available security patches in a timely manner and by applying security best practices.

Multiple QNAP NAS Devices Targeted by eCh0raix Ransomware

 

Customers of QNAP network-attached storage (NAS) devices are reporting that their systems are being targeted with the eCh0raix ransomware, often known as QNAPCrypt. The attackers behind this explicit malware ramped up their exercise a few weeks earlier than Christmas, gaining control of the units with administrator privileges. 

The surge in attacks 

According to BleepingComputer, many users of QNAP and Synology NAS systems have been regularly reporting eCh0raix ransomware assaults but more of them started to reveal incidents around December 20. The surge in the number of attacks is confirmed by the ID ransomware service, where submissions started to increase on December 19 and reached a peak on December 26.

At this time, it remains unclear how hackers exploited the QNAP devices, some users claim that attackers abused a vulnerability in the Photo Station software to hack them and others admit they were reckless and did not secure the device properly. 

Regardless of the attacking methodology, it seems that attackers first create a user in the administrator group, then use it to encrypt the content of the NAS system. The malware encrypted pictures and documents, according to QNAP users, some of whom were using the NAS system for business purposes. 

Another thing that stands out in this malicious campaign is the fact that the extension related to the ransom note appears to be mistyped, as the “.TXTT” extension was used. This extension does not impact the display of the instructions; however, some users might have to open the file with certain programs like Notepad. 

Threat actors demand ransom ranging from .024 ($1,200) to .06 bitcoins ($3,000) during these recent attacks. Some users had no backup options and had to pay the attackers to recover their files. “It is important to note that there is a free decryptor for files locked with an older version (before July 17th, 2019) of eCh0raix ransomware. However, there is no free solution to decrypt data locked by the latest variants of the malware (versions 1.0.5 and 1.0.6),” reported BleepingComputer. 

eCh0raix/QNAPCrypt assaults started in June 2019 and have remained a continual threat ever since. QNAP warned its users earlier this year regarding a new wave of eCh0raix attacks that targeted devices with weak passwords.