A vulnerability in a widely used Java framework is being successfully exploited to spread Mirai botnet malware, according to security researchers. An apparent large-scale campaign is making use of the new “Spring4Shell” exploit in a way that potentially impacts millions of companies around the world.
First major exploits of Spring4Shell involve Mirai malware
Mirai became a major threat about five years ago, as the Linux-targeting malware quickly spread around the world. The original criminal group was put out of business in 2018, but the Mirai botnet malware code has since been posted publicly to the internet and circulated widely. Smaller operators continue to use their own versions of it for various purposes, very often harnessing low-security devices for distributed denial of service (DDoS) attacks and leveraging it to penetrate networks via connected Internet of Things (IoT) devices.
The similarities to the dangerous and widespread Log4Shell virus should have served as a sufficient warning to organizations to get on top of patching Spring4Shell, but the emergence of the Mirai botnet malware campaign should be the final wake-up call.
Spring4Shell is a little less dangerous (in terms of total networks and devices vulnerable to it) as it requires several specific conditions to be met even if the Spring Core Java framework is in use. One of these is that Java Development Kit 9 (JDK9) specifically must be in use; downgrading to JDK8 at least temporarily blocks Spring4Shell, but the permanent fix is to update Spring Framework to versions 5.3.18 or 5.2.20 and Spring Boot to versions 2.6.6 or 2.5.12.
Rolling out patching in vulnerable systems ASAP is critical, as the sheer amount of use of Spring Framework throughout networks and software packages means that some organizations could be looking at a total remediation time counted in weeks (if not months).
Mirai botnet malware emerges once again as widespread threat
The Mirai botnet malware campaign was found by security researchers with Trend Micro to have begun in Singapore, but is now likely spreading to other countries. Researchers also do not expect Mirai to be the only hacking approach that threat actors try to pair with Spring4Shell.
As many as 80% of global organizations may be making use of the Spring framework in some way, but likely only about 1/5 of these meet the conditions for Spring4Shell to be exploited. That still leaves a huge number of exposed companies. The Mirai botnet malware campaign is likely just the first of many over the coming months attempting to exploit this common weakness, with cyber criminals specifically scanning the internet for unpatched systems.
The Mirai/Spring4Shell campaign is concerning enough as it can grant the attacker full access to a compromised system. Devices that are hit by Mirai malware are generally roped into a botnet used for denial of service attacks and for cryptocurrency mining (among other possibilities), but some hackers have also been seen raiding files from systems compromised by their custom tweaks of the Mirai code.