There has been a land rush of sorts among threat groups trying to use the vulnerability discovered in the open-source Spring Framework last month, and now researchers at Trend Micro are saying it's being actively exploited to run the Mirai botnet.
Mirai is a long-running threat that has been around since 2016 and is used to pull smaller networked and Internet of Things (IoT) devices, such as IP cameras and routers, into a botnet that can then be used in such campaigns as distributed denial-of-service (DDoS) and phishing attacks.
The Trend Micro researchers wrote in a post that they observed the bad actors weaponizing and run Mirai malware on vulnerable servers in the Singapore region via the Spring4Shell vulnerability, tracked as CVE-2022-22965.
By exploiting the flaw, attackers can download a Mirai sample to the "/tmp" folder in a server and execute it after a permission change to make them executable using "chmod." Chmod is a command and system call in Unix and Unix-related servers used to change access permissions of file system objects, known as "modes."
"We observed the samples at the start of April 2022," they wrote. "We also found the malware file server with other variants for different CPU architectures."
The Spring Framework is widely used by Java application developers as a programming and configuration model. The remote control execution (RCE) vulnerability in the framework was publicly disclosed by VMware-owned Spring on March 31 – though details began to leak a day earlier – and exploitation efforts started almost immediately, according to cybersecurity firms.
"The RCE vulnerability gives threat actors full access to the compromised devices, making it a dangerous and critical vulnerability," the Trend Micro researchers wrote.
Check Point analysts said that in the first weekend after the flaw was disclosed, they saw about 37,000 attempts at exploiting it, adding that about 16 percent of organizations around the globe were impacted. The software industry was hit hardest, making up 28 percent of the companies affected, and Europe was the most impacted region, with 20 percent of the attempts there.
Researchers with Qihoo 360 wrote in a blog post that a day after Spring issued its advisory, they saw an increase in attempts to exploit the flaw, with a Mirai variant winning "the race as the first botnet that adopted this vulnerability."
Analysts with Palo Alto Networks' Unit42 threat intelligence group wrote that they expect Spring4Shell to "become fully weaponized and abused on a larger scale," because the exploitation of the flaw is "straightforward and all the relevant technical details have already gone viral on the internet."
It's not surprising that the Linux-based malware is popular among threat actors looking to exploit Spring4Shell. Earlier this year, CrowdStrike said in a report that in 2021 there was a 35 percent year-over-year growth of malware targeting Linux IoT devices, with the Mirai, XorDDoS and Mozi malware families making up 22 percent of all such malware.
"With various Linux builds and distributions at the heart of cloud infrastructures, mobile and IoT, it presents a massive opportunity for threat actors," CrowdStrike threat researcher Mihai Maganu wrote.
"For example, whether using hardcoded credentials, open ports or unpatched vulnerabilities, Linux-running IoT devices are a low-hanging fruit for threat actors — and their en masse compromise can threaten the integrity of critical internet services."
The remote control Spring4Shell comes close on the heels of Log4Shell, another high-profile vulnerability found late last year in Log4j, a widely used open-source logging tool distributed by the Apache Software Foundation.
The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity companies are pushing organizations and their developers to use the patch released March 31 by Spring to fix the flaw.
Microsoft said the patch should be used by developers using Java Development Kit (JDK) version 9.0 or later for systems that are running a wide range of Spring Framework versions.
Trend Micro recommended that until they apply the patch, organizations can mitigate the risks of Spring4Shell by maintaining a disallow or blocklist in the web application firewall to block strings that contain values such as "class.*, "Class.*", "*class.*" and "*Class.*"
They also can downgrade to a lower JDK version such as version 8, though doing so "could impact application features and open doors to other attacks mitigated in higher versions of JDK," the researchers wrote. ®