Spring4Shell flaw is already abused: spreads Mirai malware and more

Hackers have started to use the new flaw that might become a major threat in 2022 to their advantage

Mirai botnet distributed using the newly disclosed Spring4Shell flaw

Spring4Shell vulnerability is under active exploitation by malicious actors. Multiple reports from researchers state that systems in Singapore have been compromised and botnet Mirai malware released on vulnerable devices.^[1] Last month this zero-day vulnerability was discovered,^[2] and right there and their researchers speculated that this might become a new Log4Shell flaw yet again.

The recent hacker campaigns show that the vulnerability is exploited, and malware gets exploited. These attacks started soon after the bug was publicly reported, according to Qihoo 360 team^[3]:

After March 30, we started to see more attempts such as various webshells, and today, 2022-04-01 11:33:09(GMT+8), less than one day after the vendor released the advisory, a variant of Mirai, has won the race as the first botnet that adopted this vulnerability

Even though this is not yet the same as the Log4Shell flaw, security experts report that there are risks that the exploitation gets out of hand. It is the threat, or remote code execution vulnerability affecting Spring Framework, which is described as the widely used lightweight open-source framework for Java.

The exploitation of Spring4Shell can grant the attacker full control

The vulnerability with a CVSS score of 9.8 is the flaw that can allow malicious actors to gain remote access to the code execution in Spring Core applications. The attacker can fully control the compromised device under non-default circumstances.

The campaign involving this Mirai botnet is the first instance when the malware operators managed to take advantage of the newly discovered and publicized flaw.^[4] The same Mirai botnet creators and another malware Kinsing were leveraging the Log4Shell flaw back in December 2021. Various servers vulnerable to the flaw got breached then.

The exploitation was inevitable, according to some researchers, because all the details on how to fully weaponize and abuse the bug on a larger scale were made public with all the reports and analysis. All the relevant technical details on the vulnerability were publicly released.

Mirai malware – one of the biggest botnet threats on the internet

This botnet has many versions, and it has remained a dangerous malware for years. The botnet is often used for the distribution of denial-of-service attacks.^[5] Another use for such malware is attacking passwords, ransomware deployment, and distribution of threats like cryptocurrency miners.

Mirai is the name given to particular Linux malware that targets smart home devices and links them together into a network of corrupted devices. The botnet targets IP cameras, routers, and similar devices. These activities of the Mirai botnet malware have attracted other threat actors, so the code versions were co-opted by other cybercriminals.

Botnets built from the codebase of this malware continued to break havoc in the technology sector when threat actors took advantage. Mirai botnet is one of the most known threats of this type have been included in catastrophic attacks since at least 2016.^[6]

The fact that this is an old threat does not take away from the level of danger it creates. Mutated versions and updating of the code means that the Mirai botnet, its versions, and threats made based on the public code pose a huge risk to organizations to this day.