Trend Micro Has Found Evidence That The Spring4Shell Vulnerability Is Being Exploited

Security researchers at Trend Micro have observed an active exploitation of the Spring4Shell vulnerability where threat actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers in the Singapore region. 

Trend Micro says most of the vulnerable setups were configured with the following features:

  • Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher
  • Apache Tomcat
  • Spring-webmvc or spring-webflux dependency
  • Using Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
  • Deployable, packaged as a web application archive (WAR)
  • Writable file system, such as web apps or ROOT

This of course is a major problem as if one group of threat actors taking advantage of this vulnerability, other threat actors are doing the same thing. Or will be doing the same thing soon enough.

I have sourced a pair of comments on this starting with Saryu Nayyar, CEO and Founder, Gurucul:

“This is another example of a known set of malware being leveraged to exploit a newly discovered set of vulnerabilities. Mirai is indeed a long standing and dangerous piece of malware that can deliver multiple destructive outcomes to organizations. Until vulnerabilities such as these can be patched, which can take weeks or months, organizations need to augment their threat detection, investigation and response programs to determine if they are already under attack and certainly find any signs of an attack early in the kill chain. This can allow them to perform emergency patching on systems if threatened. However, this requires a solution not only with advanced analytics and non-rule-based machine learning models to detect any variations employed when Mirai is executed, but also threat intelligence combined with risk analytics to prioritize and escalate to security teams once the attack is potentially found. These capabilities are critical for accelerating response and rallying security teams to identify and focus efforts on a serious active threat. Unfortunately, most current SIEM and XDR solutions lack this combination of features to be enough to stop this attack so organizations must look at more advanced solutions to better enable security teams. “

Chris Olson, CEO, The Media Trust is next:

 “In the face of Log4Shell, many organizations rolled out patches to protect their internal systems and consumer-facing services. But the emergence of Spring4Shell reminds us that patching is only a temporary fix: as long as organizations are depending on third-party assets for website, app and backend development, they must exercise continual vigilance and monitoring to protect their users.”

This is likely the start of larger campaigns using this exploit. This sysadmins and security professionals should take this time to make sure that they aren’t vulnerable to being pwned by this exploit.

Leave a Reply

%d bloggers like this: