Researchers said Friday that hackers are exploiting the recently discovered SpringShell vulnerability to successfully infect vulnerable Internet of Things devices with Mirai, an open source malware that confuses routers and other network-connected devices into sprawling botnets.
When SpringShell (aka Spring4Shell) came to light last Sunday, some reports compared it to Log4Shell, the critical zero-day vulnerability in the popular logging utility Log4J that affected a significant portion of apps on the web. That comparison turned out to be an exaggeration, because the configurations needed to make SpringShell work were by no means common. To date, there are no real-world apps known to be vulnerable.
Trend Micro researchers now say that hackers have developed a weaponized exploit that successfully installs Mirai. A blog post they published did not identify the type of device or CPU used in the infected devices. However, the post said that a malware file server had stored multiple variants of the malware for different CPU architectures.
“We observed active exploitation of Spring4Shell, where malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, particularly in the Singapore region,” wrote Trend Micro researchers Deep Patel, Nitesh Surana and Ashish Verma. The exploits allow threat actors to download Mirai to the device’s “/tmp” folder and run it after a permission change with “chmod”.
The attacks appeared in researchers’ honeypots early this month. Most vulnerable settings are configured for these dependencies:
- Spring Framework versions prior to 5.2.20, 5.3.18 and Java Development Kit (JDK) version 9 or later
- Apache Tomcat
- Dependency on spring webmvc or spring webflux
- Using spring parameter binding configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
- Deployable packaged as a web application archive (WAR)
Trend said the success the hackers had in weaponizing the exploit was due in large part to their skill in using exposed class objects, which gave them multiple options.
“For example,” the researchers wrote, “threat actors can access an AccessLogValve object and arm the class variable ‘class.module.classLoader.resources.context.parent.pipeline.firstpath’ in Apache Tomcat. They can do this by accessing the access log. redirect to write a web shell to the webroot by manipulating the properties of the AccessLogValve object, such as pattern, suffix, directory, and prefix.
It’s hard to know exactly what to think of the report. The lack of detail and the geographic connection to Singapore may indicate that a limited number of devices are vulnerable, or possibly none, if what Trend Micro saw was a tool used by researchers. Without any idea what and whether real-world devices are vulnerable, it’s difficult to provide an accurate assessment of the threat or make actionable recommendations for avoiding it.