Researchers said Friday that hackers are exploiting the recently discovered SpringShell vulnerability to successfully infect vulnerable Internet of Things devices with Mirai, an open-source malware that turns routers and other network-connected devices into sprawling botnets .
When SpringShell (aka Spring4Shell) came to light last Sunday,
some reports
compared it to Log4Shell, the critical zero-day vulnerability in the popular logging utility Log4J, which affected a significant portion of apps on the web. This comparison turned out to be exaggerated since the configurations required for SpringShell to work were by no means common. So far, no real apps are known to be vulnerable.
Trend Micro researchers now say hackers have developed a weaponized exploit that successfully installs Mirai. A blog entry They did not disclose the device type or CPU used in the infected devices. However, the post said that a malware file server they found had stored multiple variants of the malware for different CPU architectures.

“We observed active exploitation of Spring4Shell, where malicious actors could weaponize the Mirai botnet malware and run it on vulnerable servers, particularly in the Singapore region,” wrote Trend Micro researchers Deep Patel, Nitesh Surana and Ashish verma. The exploits allow threat actors to download Mirai to the device’s “/tmp” folder and run it with “chmod” after changing permissions.
The attacks surfaced in researchers’ honeypots earlier this month. Most vulnerable setups have been configured for these dependencies:
- Spring Framework versions earlier than 5.2.20, 5.3.18 and Java Development Kit (JDK) version 9 or higher
- Apache tomcat
- Spring-webmvc or spring-webflux dependency
- Using a Spring parameter binding configured to use a non-basic parameter type, e.g. B. Plain Old Java Objects (POJOs)
- Deployable packaged as a web application archive (WAR)
Trend said the hackers’ success in weaponizing the exploit was largely due to their ability to use exposed class objects, which gave them multiple options.
“For example,” the researchers wrote, “threat actors can access an AccessLogValve object and weaponize the class variable ‘class.module.classLoader.resources.context.parent.pipeline.firstpath’ in Apache Tomcat. They can do this by redirecting the access log to write a web shell to the web root by manipulating the AccessLogValve object’s properties such as pattern, suffix, directory, and prefix.”
It’s hard to know exactly what to make of the report. The lack of detail and geographic tie to Singapore may indicate a limited number of devices are vulnerable, or possibly none at all if what Trend Micro saw was a tool used by researchers. If you have no idea what or if real-world devices are vulnerable, it’s difficult to provide an accurate assessment of the threat or actionable recommendations on how to avoid it.
This article was previously published on Source link