Hacker exploits Spring4Shell vulnerability in Microsoft cloud services

Ddos April 5, 2022 2 minutes read

Recently, Microsoft issued an announcement saying that the security team detected an attack that was exploiting the recently exposed Spring4Shell remote code execution vulnerability, targeting its own cloud service products.

Spring4Shell (CVE-2022-229605) exists on Spring Framework which allows an unauthenticated attacker sends a simple HTTP POST to a vulnerable app to execute commands on the server. “Microsoft regularly monitors attacks against our cloud infrastructure and services to defend them better,” the Microsoft 365 Defender Threat Intelligence Team said.

Attackers can exploit Spring Core security flaws by sending specially crafted queries to servers running the Spring Core framework, according to a report published on the 4th. This creates a web shell in the Tomcat root directory and uses it to execute commands on the infected server.

Microsoft determined that the affected systems had the following characteristics:

JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
Spring Framework version 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions

spring-webmvc or spring-webflux dependency

In addition, Microsoft says that “any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable.”

On April 5, Check Point released a report assessing that Spring4Shell exploit attempts have reached 16% of all affected devices or organizations, and according to internal monitoring data, over the weekend alone, Check Point researchers detected approximately 37,000 Spring4Shell exploits.

Via: bleepingcomputer