Sysrv-Hello Botnet Rounding up WordPress Pods in Crypto-Miner Attack

Threat actors attack Kubernetes clusters for cryptomining; this time, the victims are WordPress users.

TL;DR

Sysdig Security researchers, on August 26, 2021, released a report underlying malicious activity involving Kubernetes clusters. The attackers were reported to have been deploying Sysrv-Hello Botnet in WordPress pods.

Mining cryptocurrency individually is a very unproductive task.
Mining cryptocurrency individually is a very unproductive task.
Key Facts
  1. 1

    The most recent case of botnet malware has been the Sysrv-Hello botnet.

  2. 2

    Attackers earned initial access through misconfigured WordPress pods.

  3. 3

    They (hackers) have been very elusive.

  4. 4

    Their ultimate goal is to invade the system and mine cryptocurrency at scale.

  5. 5

    The Sysrv-hello operators are actively updating configurations to match new developments.

Details

The Botnet cryptojacking attacks have been ravaging the internet since the beginning of last year. The word, Botnet, has enjoyed quality time on many headlines, with its different variants been paired with words like crypto-mining or cryptojacking. In this equally increasingly popular exercise, Kubernetes clusters have been targeted due to misconfigured Argo workflows or misconfiguration in CI/CD pipelines. These actors are always on the lookout for the slightest of weakness in a bid to strike, compromise systems, perform the mining exercise, and replicate the compromised systems. Their obfuscation tactics are not always topnotch but enough to buy ample time to complete a stretched and scaled cryptojacking activity. Mining cryptocurrency individually is a very unproductive task. Hence, they tend to compromise systems, take control of user profiles, and mine crypto at scale with the help of a crypto miner. In this case, it is a Botnet - the Sysrv-Hello Botnet.

Though the attackers have not been identified, their operation is in the air and has been brought to WordPress's attention, thanks to the research wing of the SaaS platform founded in 2013, Sysdig. The attackers have been planting the Sysrv-hello Botnet cryptominer in Kubernetes pods running WordPress. As said earlier, the goal is to control the pod, mine cryptocurrency at scale, and replicate themselves from compromised systems to keep their activities on a low profile.

Another borderline fact about this attack is using an attack script unfamiliar with malware databases, making it very elusive for security software. Only a few people have detected irregularities relating to these attacks. The Sysrv-hello botnet, initially discovered in late December 2020, is a Windows and Linux virus that leverages numerous vulnerabilities and is spread using shell scripts.

To match recent developments, Sysrv-operators are continually updating and altering the botnet. Since the first discovery, attackers have made many changes to the shell scripts that install Sysrv-hello implant on host systems, which is how the executable malware is distributed.


Get similar stories in your inbox weekly, for free

Is this news interesting? Share it with your followers

Latest stories


DevOps: Report on Devil's Practices by DORA

The report is drafted from a report release of the annual research and survey of …

Amazon Elasticsearch Gets a New Version With Name Deprecated

Accompanied by new advancements is Amazon OpenSearch, the same body of code as its predecessor, …

McAfee Partners With IBM Security to Deliver TD Synnex Security Solution

The MVISION platform and Security wing of IBM's partnership endgame are to extend increased protection …

Amazon MSK Connect Launched to Better Apache Kafka UX

Amazon follows up on its 2018 data streaming software, Amazon Managed Streaming for Apache Kafka, …

Cloud: Zone Redundant Storage Released on General Availability

The report is drafted from a press release of the Microsoft Azure team on the …

Security: IBM Traces Two-Thirds of Compromises to Misconfigured APIs

The report is drafted from a sweeping survey of dark web analysis and various X-Force …