16% of organizations worldwide impacted by Spring4Shell Zero-day vulnerability exploitation attempts since outbreak

05/04/2022 06:30 ET

Highlights:

  • In the first weekend since the vulnerability was found Check Point Research spots ~37K attempts to allocate the Spring4Shell vulnerability
  • During the first 4 days 16% of the organizations worldwide were impacted by exploitation attempts
  • Software vendors are the most impacted industry where 28% of the organization were impacted
  • The most impacted region seen is Europe, with an impact of 20%
  • Check Point customers remain protected, vulnerability does not affect our Infinity portfolio

Last week it was reported that critical vulnerabilities (CVE-2022-22947 / CVE-2022-22965 / CVE-2022-22963) found in the open source Spring Framework – a programming and configuration model providing infrastructure support for developers building Java applications.
In our previous report we’ve detailed that organizations using Java Spring should immediately review their software and update to the latest versions by following the official Spring project guidance.
In addition we’ve reported that Check Point CloudGuard AppSec provides pre-emptive protection against exploits of the above CVEs which means no software update is required and that these users are protected.
Today, a week post the outbreak we share numbers intercepted by our telemetry regarding global distribution of exploitation attempts of these vulnerabilities.

In the first weekend of since the vulnerability was found we’ve seen ~37K attempts to allocate the Spring4Shell vulnerability.

Figure 1: Vulnerability Allocation Attempts Since Outbreak

 

During the first 4 days after the vulnerability outbreak 16% of the organizations worldwide were impacted by exploitation attempts. The most impacted region seen is Europe, with an impact of 20%.

Figure 2: % Impacted organization per region

The most impacted industry is software vendor where 28% of the organization were impacted by the vulnerability.

 

Figure 3: % Impacted Organization per industry

If your organization is using Java Spring and not using CloudGuard AppSec, immediately review your software and update to the latest versions by following the official Spring project guidance.
If you are already using CloudGuard AppSec, you are protected! No software update is required.
To ensure that you are protected by CloudGuard AppSec, the only thing you need to do is to make sure that the Web Application or Web API Best Practice of your Asset is set to the Default Prevent Mode. No updates or other settings are needed.
The Check Point Infinity architecture is protected against this threat. We verified that this vulnerability does not affect our Infinity portfolio (including Quantum Gateways, SMART Management, Harmony Endpoint, Harmony Mobile, SMB, ThreatCloud and CloudGuard).

Check Point Products Status

Product Status
Quantum Security Gateway Not vulnerable
Quantum Security Management Not vulnerable
CloudGuard Not vulnerable
Infinity Portal Not vulnerable
Harmony Endpoint & Harmony Mobile Not vulnerable
Harmony Connect Not vulnerable
SMB Not vulnerable
ThreatCloud Not vulnerable

Notes:
– All Check Point’s software versions including out of support versions are not vulnerable.
– All appliances are not vulnerable.

IPS protections

Check Point released these IPS protections:

Check Point recommends activating HTTPS Inspection (in the Security Gateway properties -> HTTPS Inspection view), as the attack payload may appear in encrypted or decrypted traffic.

Harmony Endpoint Linux and CloudGuard Containers Security  have been automatically updated by Check Point protections

Harmony Endpoint for Linux Protection

  • Exploit_Linux_Spring4Shell_B

CloudGuard Containers Security Protection

  • Exploit_Linux_Spring4Shell_A

CloudGuard Posture Management

Check Point added these CSPM rules to the Azure CloudGuard Best Practices ruleset:

  • D9.AZU.CRY.30 – Ensure that Spring Cloud App has end-to-end TLS enabled
  • D9.AZU.CRY.31 – Ensure that Spring Cloud App enforces HTTPS connections
  • D9.AZU.IAM.33 – Ensure that Spring Cloud App has system-assigned managed identity enabled