Security researchers have observed attackers exploiting the Spring4Shell Java-related flaw to install malware on target systems.
Researchers at security firms Trend Micro and Qihoo 360 watched the attacks emerge almost as soon as the bug become public.
While Spring4Shell isn’t quite as dire as Log4Shell, most security firms, the US Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft are urging developers to patch it if they’re using Java Development Kit (JDK) from version 9.0 and upwards if the system is also using Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions.
“After March 30, we started to see more attempts such as various webshells, and today, 2022-04-01 11:33:09(GMT+8), less than one day after the vendor released the advisory, a variant of Mirai, has won the race as the first botnet that adopted this vulnerability,” Qihoo 360 researchers noted.
Trend Micro researchers have also seen something similar.
“We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region,” said Trend Micro’s researchers.
“We also found the malware file server with other variants for different CPU architectures,” they warned.
The Mirai sample is downloaded to the “/tmp” folder.
Trend says most of the vulnerable setups were configured with the following features:
- Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher
- Apache Tomcat
- Spring-webmvc or spring-webflux dependency
- Using Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
- Deployable, packaged as a web application archive (WAR)
- Writable file system, such as web apps or ROOT
Researchers at Palo Alto Networks’ Unit 42 team believe that Spring4Shell will almost certainly be weaponized because it was straightforward to exploit and all the details how to do it were public on March 31.
“Since exploitation is straightforward and all the relevant technical details have already gone viral on the internet, it’s possible that SpringShell will become fully weaponized and abused on a larger scale,” it said.
The chief vulnerabilities related to Spring4Shell are CVE-2022-22965, which is a bypass for the 2010 patch CVE-2010-1622, and CVE-2022-22963.
Mirai and its many variants remain one of the biggest threats on the internet. They are used for distributed denial-of-service attacks, attacks on passwords, and the deployment of ransomware and cryptocurrency miners.