There’s been something of a race to the ground between threat groups trying to use the vulnerability discovered in the open source Spring Framework last month, and now Trend Micro researchers say it’s being actively exploited to run the Mirai botnet. .
Mirai malware is a long-running threat that has been around since 2016 and is used to lure smaller Internet of Things (IoT) and network devices such as IP cameras and routers into a botnet that can then be used in campaigns such as distributed denial. -of-service (DDoS) and phishing attacks.
Trend Micro researchers wrote in a mail who observed bad actors weaponizing and executing Mirai malware on vulnerable servers in the Singapore region via the Spring4Shell vulnerability, tracked as CVE-2022-22965.
By exploiting the flaw, attackers can download a sample of Mirai to the “/tmp” folder on a server and run it after a permission change to make them executable using “chmod”.
Chmod is a command and system call on Unix and Unix-related servers used to change the access permissions of file system objects known as “modes”.
“We observed the samples in early April 2022,” they wrote. “We also found the malware file server with other variants for different CPU architectures.”
The Spring Framework is widely used by Java application developers as a programming and configuration model. VMware-owned Spring publicly disclosed the remote control execution (RCE) vulnerability in the framework on March 31, though details began leaking a day earlier, and exploitation efforts began almost immediately, according to the companies. cyber security.
“The RCE vulnerability gives threat actors full access to compromised devices, making it a critical and dangerous vulnerability,” Trend Micro researchers wrote.
Check Point analysts said that in the first weekend after the flaw was revealed, they saw around 37,000 attempts to exploit it, adding that around 16 percent of organizations around the world were affected. The software industry was the hardest hit, accounting for 28 percent of affected companies, and Europe was the hardest hit region, with 20 percent of attempts there.
Researchers with Qihoo 360 wrote in a blog post that a day after Spring issued its advisory, they saw an increase in attempts to exploit the flaw, with a Mirai variant winning “the race as the first botnet to adopt this vulnerability.”
Analysts from the Palo Alto Networks Unit42 Threat Intelligence Group wrote that they expect Spring4Shell “to be weaponized and abused on a massive scale”, because exploiting the flaw is “simple and all the relevant technical details have already gone viral on the internet”.
Not surprisingly, Linux-based malware is popular with threat actors looking to exploit Spring4Shell. Earlier this year, CrowdStrike said in a report that in 2021 there was a 35% year-over-year growth of malware targeting Linux IoT devices, with the Mirai, XorDDoS, and Mozi malware families accounting for 22% of all such malware.
“With various builds and distributions of Linux at the heart of cloud, mobile, and IoT infrastructures, it presents a huge opportunity for threat actors,” wrote CrowdStrike threat researcher Mihai Maganu.
“For example, whether they use hard-coded credentials, open ports, or unpatched vulnerabilities, IoT devices running Linux are easy fruit for threat actors, and their mass compromise can threaten the integrity of critical Internet services. “.
The Spring4Shell remote is close to Log4Shell, another high-profile vulnerability found late last year in Log4j, a widely used open source logging tool distributed by the Apache Software Foundation.
The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity companies are pressuring organizations and their developers to use the patch released on March 31 by Spring to fix the bug.
Microsoft said the patch should be used by developers using the Java Development Kit (JDK) version 9.0 or later for systems running a wide range of Spring Framework versions.
Trend Micro recommended that, until they apply the patch, organizations can mitigate the risks of Spring4Shell by maintaining a deny or block list in the web application firewall to block strings containing values such as “class.*, “Class.*” , “*class .*” and “*Class.*”
They can also downgrade to a lower JDK version, such as version 8, although doing so “could affect application functionality and open doors to other attacks mitigated in higher JDK versions,” the researchers wrote. ®