A Mirai-based botnet is exploiting the Spring4Shell vulnerability

Experts warn of a Mirai-based botnet exploiting the recently discovered Spring4Shell vulnerability in attacks in the wild.

Trend Micro Threat Research reported that the recently discovered Spring4Shell vulnerability (CVE-2022-22965) is actively exploited by a Mirai-based botnet.

Researchers from Chinese cybersecurity firm Qihoo 360 first reported the exploitation of the Spring4Shell by a Mirai-based botnet in early April.

“After March 30, we started to see more attempts such as various webshells, and today, 2022-04-01 11:33:09(GMT+8), less than one day after the vendor released the advisory, a variant of Mirai, has won the race as the first botnet that adopted this vulnerability.” reported Qihoo 360.

The Spring4Shell issue was disclosed at the end of March, it resides in the Spring Core Java framework. An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.

The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.

According to Trend Micro, threat actors are exploiting the Spring4Shell since the beginning of April. The researchers were able to find the malware file server containing different samples developed for different CPU architectures.

“We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region.” reads the post published by Trend Micro. “The Mirai sample is downloaded to the “/tmp” folder and executed after permission change to make them executable using “chmod”.”

Trend Micro experts reported that threat actors exploit the flaw to download the Mirai sample to the “/tmp” folder and execute them after permission change using “chmod”.

Trend Micro also shared a list of the IOCs for these attacks.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mirai)

[adrotate banner=”5″]

[adrotate banner=”13″]