The Mirai malware now uses the Spring4Shell exploit to infect and recruit vulnerable web servers for DDoS (distributed denial of service) attacks.
Spring4Shell is a critical remote code execution (RCE) vulnerability tracked as CVE-2022-22965 that affects Spring Framework, a widely used enterprise-level Java app development platform.
Spring released emergency updates several days after the discovery to address the zero-day flaw, but threat actors’ exploitation of vulnerable deployments was already underway.
While Microsoft and CheckPoint discovered many attacks in the wild using Spring4Shell, their success was questionable because there were no reports of large-scale incidents involving the vulnerability.
As such, Trend Micro’s discovery of a Mirai botnet variant that successfully uses CVE-2022-22965 to advance its malicious operation is worrisome.
Attacks targeting Singapore
The observed active exploitation, which began a few days ago, targets vulnerable web servers in Singapore, which could be a preliminary testing phase before the threat actor scales the operation globally.
Spring4Shell is exploited to write a JSP web shell in the web root of the web server via a specially crafted request, which the threat actors can use to execute commands remotely on the server.
In this case, the threat actors use their remote access to download Mirai to the “/tmp” folder and run it.
Request and commands used in this attack (Trend Micro)
The threat actors retrieve multiple Mirai samples for different CPU architectures and run them with the “wget.sh” script.
Script that retrieves several Mirai samples (Trend Micro)
Those that fail to execute successfully due to their incompatibility with the intended architecture will be removed from the drive after the first execution phase.
From Log4Shell to Spring4Shell
Several Mirai botnets were among the few persistent exploiters of the Log4Shell (CVE-2021-44228) vulnerability until last month, exploiting the flaw in the widely used Log4j software to recruit vulnerable devices to their DDoS botnet.
It is possible that botnet operators are now experimenting with other flaws that could potentially have a significant impact, such as Spring4Shell, to tap into new device pools.
Since these types of attacks could lead to ransomware deployments and data breaches, the case of Mirai source hijacking for denial of service or crypto mining seems relatively harmless.
As patching of systems continues and the number of vulnerable deployments decreases, unpatched servers will show up in more malicious network scans, leading to exploitative attempts.
Administrators should upgrade to Spring Framework 5.3.18 and 5.2.20, as well as Spring Boot 2.5.12 or later, as soon as possible to close the door to these attacks before the most dangerous threat groups join the exploitation effort.
This post Mirai malware now ships with Spring4Shell exploits
was original published at “https://www.bleepingcomputer.com/news/security/mirai-malware-now-delivered-using-spring4shell-exploits/”
