arstechnica.com
Open in
urlscan Pro
18.216.29.25
Public Scan
URL:
https://arstechnica.com/information-technology/2022/04/trend-says-hackers-have-weaponized-springshell-to-install-mirai-m...
Submission: On April 14 via api from IN — Scanned from DE
Submission: On April 14 via api from IN — Scanned from DE
Form analysis 2 forms found in the DOM
GET /search/
<form action="/search/" method="GET" id="search_form">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>POST https://arstechnica.com/civis/ucp.php?mode=login
<form id="login-form" action="https://arstechnica.com/civis/ucp.php?mode=login" method="post">
<input type="text" name="username" id="username" placeholder="Username or Email" aria-label="Username or Email">
<input type="password" name="password" id="password" placeholder="Password" aria-label="Password">
<input type="submit" value="Submit" class="button button-orange button-wide" name="login">
<label id="remember-label">
<input type="checkbox" name="autologin" id="autologin"> Stay logged in</label> <span>|</span> <a href="/civis/ucp.php?mode=sendpassword">Having trouble?</a>
<input type="hidden" name="redirect" value="./ucp.php?mode=login&autoredirect=1&return_to=%2Finformation-technology%2F2022%2F04%2Ftrend-says-hackers-have-weaponized-springshell-to-install-mirai-malware%2F">
<input type="hidden" name="return_to" value="/information-technology/2022/04/trend-says-hackers-have-weaponized-springshell-to-install-mirai-malware/">
<input type="hidden" name="from_homepage" value="1">
</form>Text Content
Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe Close NAVIGATE * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints FILTER BY TOPIC * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums SETTINGS Front page layout Grid List Site theme Black on white White on black Sign in COMMENT ACTIVITY Sign up or login to join the discussions! Stay logged in | Having trouble? Sign up to comment and more Sign up REAL OR HONEYPOT? — TREND SAYS HACKERS HAVE WEAPONIZED SPRINGSHELL TO INSTALL MIRAI MALWARE RESEARCHERS HAVE BEEN IN SEARCH OF VULNERABLE REAL-WORLD APPS. THE WAIT CONTINUES. Dan Goodin - 4/8/2022, 10:30 PM Enlarge Getty Images READER COMMENTS 23 with 17 posters participating SHARE THIS STORY * Share on Facebook * Share on Twitter * Share on Reddit Researchers on Friday said that hackers are exploiting the recently discovered SpringShell vulnerability to successfully infect vulnerable Internet of Things devices with Mirai, an open source piece of malware that wrangles routers and other network-connected devices into sprawling botnets. FURTHER READING The Internet’s biggest players are all affected by critical Log4Shell 0-day When SpringShell (also known as Spring4Shell) came to light last Sunday, some reports compared it to Log4Shell, the critical zero-day vulnerability in the popular logging utility Log4J that affected a sizable portion of apps on the Internet. That comparison proved to be exaggerated because the configurations required for SpringShell to work were by no means common. To date, there are no real-world apps known to be vulnerable. Researchers at Trend Micro now say that hackers have developed a weaponized exploit that successfully installs Mirai. A blog post they published didn’t identify the type of device or the CPU used in the infected devices. The post did, however, say a malware file server they found stored multiple variants of the malware for different CPU architectures. Trend Micro “We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region," Trend Micro researchers Deep Patel, Nitesh Surana, and Ashish Verma wrote. The exploits allow threat actors to download Mirai to the “/tmp” folder of the device and execute it following a permission change using “chmod.” Advertisement The attacks began appearing in researchers' honeypots early this month. Most of the vulnerable setups were configured to these dependencies: * Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher * Apache Tomcat * Spring-webmvc or spring-webflux dependency * Using Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs) * Deployable, packaged as a web application archive (WAR) Trend said the success the hackers had in weaponizing the exploit was largely due to their skill in using exposed class objects, which offered them multiple avenues. “For example,” the researchers wrote, “threat actors can access an AccessLogValve object and weaponize the class variable ‘class.module.classLoader.resources.context.parent.pipeline.firstpath’ in Apache Tomcat. They can do this by redirecting the access log to write a web shell into the web root through manipulation of the properties of the AccessLogValve object, such as its pattern, suffix, directory, and prefix.” It’s hard to know precisely what to make of the report. The lack of specifics and the geographical tie to Singapore may suggest a limited number of devices are vulnerable, or possibly none, if what Trend Micro saw was some tool used by researchers. With no idea what or if real-world devices are vulnerable, it’s hard to provide an accurate assessment of the threat or provide actionable recommendations for avoiding it. ARS VIDEO HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 READER COMMENTS 23 with 17 posters participating SHARE THIS STORY * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. CHANNEL ARS TECHNICA UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to answer once and for all the lingering questions we have about his enduringly popular show. Was Dr. Sam Beckett really leaping between all those time periods and people or did he simply imagine it all? What do people in the waiting room do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years following the series finale, answers to these mysteries and more await. * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL? * SITREP: BOEING 707 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * THE F-35'S NEXT TECH UPGRADE * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM STUDIOS * US NAVY GETS AN ITALIAN ACCENT * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES * TEACH THE CONTROVERSY: FLAT EARTHERS * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND SPACEX GETS A CRUCIAL GREEN-LIGHT * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO * THE GREATEST LEAP, EPISODE 1: RISK * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES More videos ← Previous story Next story → RELATED STORIES Sponsored Stories [Photos] Massive Movie Bloopers Turned into Embarrassing Moments https://notfries.com/ inPixio Photo Studio 11 - Foto-Bearbeitung ganz einfach! InPixio Krankenkassen empört: Einfach kostenloser Zahnersatz Pro Verbraucher 20+ Size Comparisons That Change The Perspective Noteabley 1 seltsame Methode bekämpft Nagelpilze- Es ist genial! Pilze Research Deutscher Doktor: Dieser einfache Tipp entleert Ihren Darm jeden Morgen (fast sofort) Nutravya Recommended by TODAY ON ARS * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints NEWSLETTER SIGNUP Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Manage Preferences The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices WE CARE ABOUT YOUR PRIVACY We and our partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data. WE AND OUR PARTNERS PROCESS DATA TO PROVIDE: Use precise geolocation data. Actively scan device characteristics for identification. Store and/or access information on a device. Personalised ads and content, ad and content measurement, audience insights and product development. List of Partners (vendors) I Accept Show Purposes