Threat Research

Securonix Threat Labs Initial Coverage Advisory: Detection and Analysis of Spring4Shell RCE (CVE-2022-22965)

Securonix

Securonix Threat Labs analyzes a currently unpatched zero-day in Spring Core (Spring4Shell) and its potential for remote code execution, outlining exploit mechanics, scope, and defense. The report covers how the vulnerability differs from Log4j, mitigation/detection approaches, and example indicators of compromise. #Spring4Shell #SpringFramework

Keypoints

  • The Spring4Shell flaw is a zero-day in the Spring Core framework that could allow remote code execution on affected systems.
  • Exploitation requires specific conditions: vulnerable Spring-beans files present, an externally accessible app (e.g., Tomcat), and Java JDK version 9 or higher; affected core versions are all under 5.3.17.
  • The exploit uses two parts: POJO calls and misuse of parameter binding in Spring-beans, enabling caching that can write to the local filesystem.
  • A Python PoC demonstrates constructing a JSP webshell via the cache, enabling commands through the web interface and leading to RCE.
  • Mitigation guidance includes verifying vulnerability (Java version, vulnerable filenames), noting no patch yet, and inspecting for unexpected JSPs in Tomcat directories.
  • Detection and hunting revolve around specific logs (Sysmon4Linux, NGFW, Osquery, Webserver/IDS logs) and several analytic/hunting queries for webshell activity and PoC parameters.
  • IoCs are provided (IP addresses, URLs, and a domain), with a note that some indicators are beta/low confidence until validated.

MITRE Techniques

  • [T1210] Remote Code Execution – The vulnerability would allow full remote code execution (RCE) to affected systems. ‘the bug would allow full remote code execution (RCE) to affected systems’
  • [T1100] Web Shell – The exploit can result in a crafted webshell (e.g., tomcatwar.jsp) that attackers call via a browser. ‘the file “tomcatwar.jsp” is constructed and the attacker can call it from a web browser’
  • [T1059] Command and Scripting Interpreter – The PoC uses a parameter-driven command execution through Java’s runtime. ‘java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter(“cmd”)).getInputStream();’
  • [T1083] File and Directory Discovery – Attacker reconnaissance includes checking for Java version and vulnerable filenames. ‘Check your system for Java version and vulnerable filenames using the following commands’

Indicators of Compromise

  • [IP Address] context – 149.28.147.15, 103.214.146.5, and other 4 addresses
  • [URL] context – http://45.67.230.64/kinsing, http://45.67.230.64/pg2.sh, and 2 more URLs
  • [Domain] context – dns.1433.eu.org

Read more: https://www.securonix.com/blog/detection-and-analysis-of-spring4shell/