February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Lazarus APT Group – Active IOCs
April 11, 2022Rewterz Threat Alert – APT MustangPanda – Active IOCs
April 11, 2022Rewterz Threat Alert – Lazarus APT Group – Active IOCs
April 11, 2022Rewterz Threat Alert – APT MustangPanda – Active IOCs
April 11, 2022
Severity
High
Analysis Summary
CVE-2022-22965
Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux.
Note: This vulnerability is also known as Spring4Shell or SpringShell.
The RCE vulnerability gives threat actors full access to the compromised devices, making it a dangerous and critical vulnerability. Spring4Shell is being activly exploited by threat actors to execute and weaponize the Mirai malware. This exploitation mainly occured in the singapore region. The sample is first downloaded in the “/tmp” folder and once permission change is executed, it becomes executable using “chmod”. Later, the “wget.sh” script downloads the binaries fron the attacker’s server and executes the samples.
Impact
- Server Outage
- Data Loss
- Website Downtime
Indicators of Compromise
MD5
- bd0ad51f62599fe31d3b98a6640f7fc0
- 67c5171bd5fadf75809a7cef8523d63a
- 24a9da242b5d80f4df3164cd154b5c88
- b62601cded538c051bf84eb893d3af1b
- daa2a0aaebb794dc672f14cdf271fecc
- a7de7cb5eff5f8ced23efe7eba90c33f
- 850da4f2e67510e609f9b4db7dd7c8ed
SHA-256
- 5fb0c8f3daef02b9d2ab285d0bf348cf1cb7c36708b0034ad0dee4998a16b9e9
- af06644dd95a30d55162666331ea6de0832cdf6f3d1897b276fde7c94d45ad84
- 3d8291da28ab42ba18a58efc18fb62e1d114af631cab678f823f7c28ff84e876
- 0d4ad08e561a3e285000a0c211063d58b543442d2208729aa142883f69a6f5f1
- 220179663c5a0974958caddf23709de8f26cdaee2c92c5920f3b4188e5a44b6f
- 95e9e8e5e412813ff8e949946a5f8c1fbbfc3ead2e74233e432a833777086407
- 9dc7ec24c42cbddb07f8a475297a52d64f8bcb9dc1a1090ac72e8ac27f56cc37
SHA-1
- cc8b2f14c44c0bb86b7233afeb20134e01f84a83
- 0ec68dc5bdb67e255f84c2677512ad928bc9a462
- 9dc2a98f4fa683a299aad74f132f35b9957a8797
- c9d9eba8cb12209d703fce6413eb3194eebbf39b
- ae820885b3e7e8f4e72b97e769ca999636a309ce
- 524d1cd7394ba3b966745b755dc0ccbe686b1eb8
- 4d6cd3c4e51500f722962731ea5ec8b17a23e38a
URL
- http[:]//45[.]95[.]169[.]143/The420smokeplace[.]dns/
Remediation
- Upgrade your operating system.
- Don’t open files and links from unknown sources.
- Install and run anti-virus scans.