Spring4Shell error is now used to spread this botnet malware

Security researchers have observed that attackers exploit the Spring4Shell Java-related flaw to install malware on target systems.

Researchers at security firms Trend Micro and Qihoo 360 saw the attacks crop up almost as soon as the bug became public.

Although Spring4Shell is not as bad as Log4Shell, most security companies, the US Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft are pushing developers to patch it if they use Java Development Kit (JDK) from version 9.0 and above. if the system is also running Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and earlier.

SEE: Windows 11 security: how to protect your home and small business PCs

“After March 30, we started to see more attempts, such as different web shells, and today, 2022-04-01 11:33:09(GMT+8), less than a day after the vendor released the advisory, a variant of Mirai , won the race as the first botnet to adopt this vulnerability,” Qihoo 360 researchers noted.

Trend Micro researchers have also seen something similar.

“We observed active exploitation of Spring4Shell, where malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, particularly in the Singapore region,” the Trend Micro researchers said.

“We also found the malware file server with different variants for different CPU architectures,” they warned.

The Mirai sample will be downloaded to the “/tmp” folder.

Trend says that most vulnerable settings are configured with the following features:

  • Spring Framework versions prior to 5.2.20, 5.3.18 and Java Development Kit (JDK) version 9 or later
  • Apache Tomcat
  • Dependency on spring webmvc or spring webflux
  • Using spring parameter binding configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
  • Deployable packaged as a web application archive (WAR)
  • Writable file system, such as web apps or ROOT

Researchers from Palo Alto Networks’ Unit 42 team believe Spring4Shell will almost certainly be weaponized because it was easy to exploit and all the details on how to do it were public on March 31.

“Since exploitation is simple and all the relevant technical details have already gone viral on the Internet, it is possible that SpringShell will be fully weaponized and misused on a larger scale,” it said.

The main vulnerabilities related to Spring4Shell are CVE-2022-22965, a bypass for the 2010 patch CVE-2010-1622, and CVE-2022-22963.

Mirai and its many variants remain one of the biggest threats on the internet. They are used for distributed denial-of-service attacks, password attacks, and the deployment of ransomware and cryptocurrency miners.

Leave a Comment