Attackers have been exploiting a previously uncovered flaw in the Spring framework to deploy the Mirai botnet malware on vulnerable devices since April, in a likely attempt to launch distributed denial-of-service (DDoS) attacks.
The high-severity remote code execution vulnerability (CVE-2022-22965) was uncovered in late March in Spring, a popular framework in Java that is used by developers to create and test enterprise-level applications. While patches were released to fix the flaw shortly after its disclosure via Spring Framework 5.3.18 and 5.2.20, attackers are targeting vulnerable servers where the patches have not yet been applied.
“We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region,” said Deep Patel, Nitesh Surana and Ashish Verma, security researchers with Trend Micro, in a Friday analysis.
In this latest campaign, after exploitation, researchers observed the Mirai sample being downloaded to the “/tmp/” folder, and executed. When researchers observed the samples at the start of April, they found the malware file server with other variants that were for different CPU architectures.
“The script 'wget.sh' downloads the binaries from the malicious server and executes all the samples,” said the researchers. “The compatible ones run while the rest don’t. Post execution, the files are removed from disk.”
The flaw enables attackers to bypass a patch for a more than a decade-old flaw in Spring. From there, attackers are able to send a specific HTTP request to vulnerable endpoints followed by a malicious .jar file in order to execute arbitrary code. Researchers said the flaw gives threat actors full access to compromised devices. That could allow them to install malware that can exfiltrate data from a device, launch denial-of-service (DoS) attacks, deploy cryptomining malware or execute ransomware. In March, a reliable exploit was developed by researchers, but it requires a specific, specially configured version of the application to work.
While the Spring flaw initially caused concerns that it would be on the same level as the previously uncovered critical vulnerability in the Apache Log4j logging library, Jon Clay, VP of threat intelligence at Trend Micro, said that the flaw is “definitely not in the same league as Log4Shell at this point due to the vulnerable environment requiring a lot of outdated configurations, and so [we’re] less likely to see mass vulnerable systems, unlike Log4Shell.”
The campaign joins several exploit attempts for CVE-2022-22965 that were previously uncovered, with the Cybersecurity and Infrastructure Security Agency (CISA) adding the flaw to its Known Exploited Vulnerabilities Catalog in April. Microsoft researchers in early April said that they have been tracking a “low volume” of exploit attempts across their cloud services in order to drop webshells on vulnerable servers; however, they said they were not seeing a "significant increase" in the quantity of attacks at the time.
“We started seeing exploitation by the Mirai botnet since the beginning of April, so [it is] still too early to say whether this is going to increase or not,” said Clay. “We have not seen any exploitation outside of Mirai at this point. What is interesting is Mirai typically targets routers and IoT devices but in this instance, they are targeting servers that are vulnerable. We will continue to monitor these attacks.”