Researchers at TrendMicro discovered a campaign where threat actors are attacking vulnerable Spring4Shell web servers to inject Mirai malware.
These infected web servers are then used for DDoS attacks later when needed. Thus, researchers are warning Spring framework admins to patch their servers with the available updates, to secure against any such attacks.
Though it’s simply a recruiting for DDoS for now, threat actors may slowly evolve to do other malicious things too, experts warn.
Exploiting Spring4Shell For Mirai Botnet
Since last week, the cybersecurity community is busy discussing a new threat in wild – the Spring4Shell – a critical remote code execution vulnerability found in Spring Framework, which is a Java app development platform used widely in enterprises.
Tracked as CVE-2022-22965, researchers warn that this Spring4Shell could be another Log4Shell wave that troubled the community for over three months now. Even though Spring software released updates for this vulnerability, it’s the duty of end-users to apply them for good.
Thus, all the vulnerable web servers that are exposed on the internet are now being targeted by threat actors for installing Mirai botnet! Infected servers are then added together to form a network, which can be used for performing DDoS attacks later.
This is tracked by TrendMicro researchers, who noted the campaign started a few days ago, focusing on unpatched web servers in Singapore, which can be exploited for Spring4Shell attacks. Although it’s now detected in Singapore only, threat actors may spread globally soon.
They said that threat actors are writing a JSP web shell into the webroot of exploited web server through a specially crafted request, which can then be used to execute commands on the server remotely.
There are multiple Mirai samples detected in this process, deployed to suit the various CPU architectures of the compromised machine. With the one that’s matched remaining within, the rest samples are deleted after the initial execution stage.