Live Demo
Blog   >   Application Security   >   Threat detection for the Spring4Shell vulnerability

Threat detection for the Spring4Shell vulnerability

A Twitter post showing remote attack vulnerabilities and exploits through the popular Java Web application development framework Spring – dubbed Spring4Shell – had security teams on alert over the past few days. But even before the Spring Framework RCE vulnerability hit 0-day, Threat Stack security measures were working to remove vulnerabilities and protect our customers.

Spring4Shell was first published in a now-deleted Twitter screenshot. Hackers quickly reverse-engineered the screen shot and worked to exploit this vulnerability within hours. Spring4Shell is a potential remote attack threat which currently exists when a Spring application is deployed to an Apache Tomcat server, and could put a wide variety of web-based applications at risk.

Even before the threat was made public, much like Log4j, Dirty Pipe, and others, Threat Stack customers already had the benefit of high-efficacy threat detection and our 24/7/365 Security Operations Center (SOC) monitoring and expertise.

This threat, like the other cloud-native infrastructure exploits we’ve seen this year, is a good reminder of the value of having comprehensive visibility for your entire environment. Web-based applications certainly need protection from external attackers but are also susceptible to vulnerabilities at the cloud-native infrastructure level. It’s a good idea to have observability into attacks at both levels, because cloud-native applications are only as secure as the infrastructure they run on.

This blog post explores the ongoing efforts of Threat Stack to help our customers work through the Spring4Shell vulnerability, and provides insight into how we can help whenever the next vulnerability may hit.

As Spring4Shell was exploited, Threat Stack leveraged the following efforts to determine and reduce the impact on our customers:

Threat Hunting for Spring4Shell indicators 

By focusing on malicious or unusual activity, Threat Stack alerts detect evidence of exploits as they occur, without waiting for the announcement of a 0-day. This means that Threat Stack already detected common ways someone would leverage Spring4Shell, and where those vulnerabilities exist.

The SOC team immediately began focused threat hunting for indications of the exploit across the entire customer base, and the team will continue to actively research this vulnerability, updating efforts as new information comes out.

Rule Refining

The SOC team constantly refines rules to more explicitly detect threats (in this case, the POC code that was released.) Based on telemetry collection from customers and continued threat hunting efforts, the team continuously tunes the rule set to get even more precise in detecting Spring4Shell and other vulnerabilities and the potential impacts.

Customer Notification

Threat Stack customers receive on-going notifications about the Spring4Shell event. These notifications not only discuss the threat, but give specific examples of the common vectors for exploit that the SOC team is focusing on, including data download and process activity.

Exploit monitoring

Threat Stack arms our customers with a quality data to detect signs of Spring4Shell and other exploits. The team is always available to help customers, and specifically here to help work through any inquiries related to Spring4Shell or other vulnerabilities. We can help interpret our threat hunting findings, notifications received from other sources, or tuning rules in the environment.

If you would like more details on our Spring4Shell efforts, or want to explore our cloud workload protection capabilities,  reach out to us today to discuss how we can help you and your organization – well before the next compromising Twitter post.