Mirai Malware Distributed by Means of Spring4Shell Vulnerability
A Flaw in Spring Framework Lets Hackers Download the Mirai Botnet.
Threat actors have been detected using the Spring4Shell vulnerability to install malware on victim PCs, according to security researchers.
More Details on the Spring4Shell Vulnerability
According to ZDNet, the Spring4Shell vulnerability, which has been assigned by security researchers CVE-2022-22965 is not considered to be as dangerous as the famous Log4Shell. However, what the US Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft are advising developers is that they patch it if they’re using Java Development Kit (JDK) 9.0 and higher, as well as Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions.
Researchers from Qihoo 360 published a report on this topic mentioning that
After March 30, we started to see more attempts such as various webshells, and today, 2022-04-01 11:33:09(GMT+8), less than one day after the vendor released the advisory, a variant of Mirai, has won the race as the first botnet that adopted this vulnerability.
TrendMicro experts came to the same conclusion that the Mirai botnet is exploiting this vulnerability, reporting that
Trend Micro Threat Research observed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-22965, which allows malicious actors to weaponize and execute the Mirai botnet malware. The exploitation allows threat actors to download the Mirai sample to the “/tmp” folder and execute them after permission change using “chmod”. We began seeing malicious activities at the start of April 2022. We also found the malware file server with other variants of the sample for different CPU architectures.
What Software and Versions Have Been Impacted?
The Mirai sample is saved in the “/tmp” directory.
As the Trend Micro’s analysis further explains, the following dependencies were configured in the majority of the vulnerable setups:
- Versions of the Spring Framework prior to 5.2.20, 5.3.18, and the Java Development Kit (JDK) version 9 or higher.
- Apache Tomcat.
- Dependencies spring-webmvc or spring-webflux.
- Using a non-basic parameter type, such as Plain Old Java Objects, when using Spring parameter binding (POJOs).
- Deployable and comes in the form of a web application archive (WAR).
- Web apps or ROOT, which are examples of writable file systems.
But What Causes the Spring4Shell Vulnerability?
The experts also explain how can threat actors achieve access to the system by means of the chains of properties:
In general, this vulnerability occurs when special objects or classes are exposed under certain conditions. It is quite common for request parameters to be bound to a POJO that is not annotated with @RequestBody, which helps in extracting parameters from HTTP requests. The class variable contains a reference to the POJO object that the HTTP parameters are mapped to. (…) Threat actors can directly access an object by specifying the class variable in their requests. All child properties of an object can also be accessed by malicious actors through the class objects. As a result, they can get access to all kinds of other valuable objects on the system simply by following the chains of properties.
What’s more, is that the researchers at Palo Alto Networks’ Unit 42 are of the opinion that Spring4Shell will almost surely be weaponized and that’s because it was simple to exploit and all the instructions on how to do so were made public on March 31.