Threat actors exploit Spring4Shell to weaponize and execute Mirai botnet

Researchers from Trend Micro have spotted threat actors exploiting the Spring4Shell vulnerability CVE-2022-22965 to weaponize and execute the Mirai botnet.

Spring4Shell, the Spring Framework remote code execution (RCE) via Data Binding on JDK 9+ vulnerability CVE-2022-22965 bypasses the patch for CVE-2010-1622, causing the older vulnerability to become exploitable again. The specific exploit requires the application to run on Tomcat as a WAR deployment.

The Spring Framework is used to develop Java-based enterprise applications that can be deployed on multiple types of deployment platforms.

According to Trend Micro, bad actors can exploit Spring4Shell and then download a Mirai sample to the “/tmp” folder and execute the malware after changing permissions using “chmod”.

“We began seeing malicious activities at the start of April 2022. We also found the malware file server with other variants of the sample for different CPU architectures,” Trend Micro wrote in a blog post Friday.

The Mirai botnet malware has also been used in many cyber attacks over the years that exploit vulnerabilities in routers, surveillance products and other internet of things (IoT) devices.

Spring4Shell and related Spring Cloud Function RCE vulnerability CVE-2022-22963 has been patched with the following versions:

  • Spring Framework versions 5.3.18+ and 5.2.20+
  • Spring Boot versions 2.6.6+ and2.5.12+.

Moreover, organizations can implement temporary workarounds, such as implementing a disallow or blocklist in their web application firewall to block strings that contain values such as “class.*”, “Class.*”, “*.class.*”, and “*.Class.*”

Related Articles