According to figures from one cybersecurity firm, about one out of every six firms affected by the Spring4Shell zero-day vulnerability has already been targeted by threat actors.
The exploitation attempts occurred within the first four days of the severe remote code execution (RCE) issue, CVE-2022-22965, and the associated attack code was publicly disclosed.
37,000 Spring4Shell attacks were discovered over the weekend alone, according to Check Point, which generated the statistics based on their telemetry data.
Software vendors appear to be the most hit industry, accounting for 28% of the total, possibly due to their high vulnerability to supply chain threats.
Based on their visibility, Check Point ranks Europe #1 in terms of the most targeted region, with 20%.
This suggests that the malicious effort to exploit existing RCE possibilities against vulnerable systems is well underway, and threat actors seem to be turning to Spring4Shell while unpatched systems are still exposed. North America accounts for 11% of Check Point's detected Spring4Shell attacks, while other entities have confirmed active exploitation in the United States.
Spring4Shell was one of four flaws posted to the US Cybersecurity & Infrastructure Security Agency's (CISA) inventory of vulnerabilities known to be used in actual attacks yesterday.
The agency has uncovered evidence of attacks on VMware products, in which the software vendor published security upgrades and alerts.
Microsoft also released guidelines for detecting and preventing Spring4Shell attacks, as well as a statement that they are already analyzing exploitation attempts. Spring MVC and Spring WebFlux apps operating on JDK 9+ are affected by CVE-2022-22965, hence all Java Spring installations should be considered potential attack vectors.
Spring Framework versions 5.3.18 and 5.2.2, as well as Spring Boot 2.5.12, were published by the vendor to address the RCE issue.
As a result, upgrading to these versions or later is strongly advised.
System administrators should also be aware of the remote code execution vulnerabilities in the CVE-2022-22963 and CVE-2022-22947 remote code execution flaws in the Spring Cloud Function and Spring Cloud Gateway. These flaws already have proof-of-concept exploits that are publicly available.