Spring is sprung

Miscreants have started abusing the recently discovered Spring4Shell vulnerability as a vector for the spread of the Mirai botnet.

Trend Micro researchers have noticed the active exploitation of Spring4Shell – a critical vulnerability in VMWare’s Spring Framework’s Java-based Core module – to hack into unpatched devices before infecting them with the Mirai malware.

Exploitation began at the start of April in attacks focused on systems in Singapore, according to Trend Micro.


RELATED Spring4Shell: Microsoft, CISA warn of limited, in-the-wild exploitation


Abusing the Spring4Shell vulnerability (CVE-2022-22965) allows “threat actors to download the Mirai sample to the /tmp folder and execute them after permission change using chmod”, a blog post by Trend Micro explains.

The vulnerability can be used to trigger remote code execution in Spring Core applications under non-default circumstances. The security bug should not be confused with CVE-2022-22963 – a separate security vulnerability affecting the Spring Cloud Function.

Servers under attack

Spring4Shell affects Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher. Apache Tomcat is also affected – the web server environment against which Trend Micro detected attacks against its clients’ systems.


Catch up with the latest security vulnerability news and analysis


As previously reported, the CVE-2022-22965 has also been identified in limited but in-the-wild exploitation, spurring warnings by both the US Cybersecurity and Infrastructure Security Agency and Microsoft’s Threat Intelligence Team. Microsoft said that the threat had cropped up in attacks against its cloud-based services.

Mirai is a strain of malware that turns networking devices running Linux into drones in a botnet network. The malware first surfaced in August 2016 and primarily affected hardware devices such as IP cameras and home routers.

It rose to prominence because of its subsequent abuse in several high-profile attacks, including a hugely disruptive attack against DNS provider Dyn in October 2016.

The Daily Swig asked Trend Micro a series of questions about the exploitation of Spring4Shell to spread Mirai. No word back as yet, but we’ll update this story as and when we hear more.



RELATED Spring4Shell: Spring users face new, zero-day vulnerability