Posted on April 11, 2022 at 12:01 PM

Threat actors deploy Mirai to exploit Spring4Shell vulnerability

The Spring4Shell vulnerability was recently disclosed alongside its potential impact. The critical vulnerability can be exploited by hackers to deploy malware on targeted devices to steal user data and launch persistent attacks.

A recent report has revealed that the Mirai botnet malware is being used to exploit the Spring4Shell vulnerability. The malware has been detected in Singapore, and threat actors have been using it to launch a series of attacks since April 2022.

Hackers exploit Spring4Shell vulnerability using Mirai malware

The Spring4Shell vulnerability tracked as CVE-2022-22965 can allow hackers to gain remote code execution on Spring Core applications. This allows the malicious actors to gain total control over the targeted devices, from where they can conduct other follow up attacks.

Ashish Verma, Deep Paten and Nitesh Surana, researchers at Trend Micro, have published a report explaining how this malware operates. The research stated that exploiting this vulnerability allowed the “threat actors to download the Mirai sample to the ‘/tmp’ folder and execute them after permission change using ‘chmod’.

“We began seeing malicious activities at the start of April 2022. We also found the malware file server with other variants of the sample for different CPU architectures,” the report said. The discovery of this malware comes amid growing concern about the Spring4Shell vulnerability.

Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) said that the Spring4Shell vulnerability was now on the Known Exploited Vulnerabilities Catalog list. The malware was added to this list based on “evidence of active exploitation.”

This is not the first time hackers are using botnet malware to exploit known vulnerabilities. Hackers usually act quickly to exploit newly publicized flaws before they are patched.

Towards the end of last year, botnet malware such as Mirai and Kinsing were used to exploit the Log4Shell vulnerability. The vulnerabilities were exploited to gain unauthorized access to internet servers.

The Mirai botnet malware is especially very popular with hackers. The malware’s name translates to “future” in Japanese. Mirai is a Linux malware that has been used to target smart home devices. Some of the devices exploited using the malware include routers and IP cameras. The malware later links the compromised devices into a single network known as a botnet.

The use of this malware does not stop with the first attack on a user’s device. The IoT botnet can later use the network of infected devices to launch more attacks. Massive phishing attacks, illegal cryptocurrency mining, click fraud and distributed denial of service (DDoS) attacks can be done as follow-up attacks.

The Mirai malware is also being used on a large scale now. In October 2016, the Mirai source code was leaked. This has allowed attackers to create malware variants, making it even harder to monitor and tame its use. Some of the most-known variants of this malware include Masuta, Okiru, Reaper and Satori.

In January this year, CrowdStrike, a cybersecurity company, announced a 35% increase in the malware being used to target Linux systems in 2021 compared to the previous year. The Mirai, Mozi and XOR DDoS malware accounted for over 22% of the attacks targeted on Linux devices during the year.

The researchers noted that “the primary purpose of these malware families is to compromise vulnerable inter-connected devices, amass them into botnets, and use them to perform distributed denial-of-service attacks.”

Spring4Shell vulnerability

On Monday, CISA added the Spring4Shelll vulnerability to the Known Exploited Vulnerabilities Catalog. The agency noted there was evidence that the vulnerability was being actively exploited.

The malware has been assigned the identifier CVE-2022-22965, and it has a CVSS score of 9.8. The vulnerability is known as ‘Spring4Shell”, and it can affect the Spring model-view-controller (MVC) and the Spring WebFlux applications running on the Javas Development Kit 9 and other later versions.

Two Praetorian researchers, Anthony Weems and Dallas Kaman noted that the “exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application.”

The details about the exploitation of this vulnerability by wild actors are still scant, apart from the report that the vulnerability could be exploited using the Mirai malware. However, reports have been that the vulnerability could be exploited for espionage purposes. SecuityScorecard, an information security company, noted that “active scanning for this vulnerability has been observed coming from the usual suspects like Russian and Chinese IP space.”