Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet

According to Trend Micro, hackers are actively exploiting the Spring4Shell critical RCE vulnerability (CVE-2022-22965) to deploy a Mirai botnet malware. It is been reported that the vulnerability has been actively exploited by attackers since early April 2022 to launch Mirai malware in Singapore.

"Exploitation of the vulnerability allows attackers to download Mirai samples to the '/tmp' folder and run them after changing the permission using 'chmod'," Trend Micro said.

The issue is rated 9.8 out of a 10 on the CVSS scale and allows attackers to remotely execute code in Spring Core applications under unusual circumstances, giving them the ability to take full control of compromised devices.

US Cybersecurity and Infrastructure Security Agency (CISA) has also added the Spring4Shell vulnerability to its list of known exploitable vulnerabilities based on "active exploitation evidence".

The vulnerability is new and can be exploited remotely if the Spring application is deployed on an Apache Tomcat server with a common configuration. To exploit the vulnerability, an attacker needs to locate and identify web application installations using DeserializationUtils. The vulnerability does not affect Spring applications using Spring Boot and embedded Tomcat.

We have made multiple posts regarding the CVE-2022-22965, you can check the post about its advisory and official statement and read the exploitation guide from the Rapid7 team. For mitigation, we strongly recommended applying the update released by Spring Team.