Help
FortiDeceptor
FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
mbensimon
Staff
Staff

Created on ‎03-31-2022 01:37 PM Edited on ‎08-28-2022 04:40 AM By Community Manager

Article Id 208062

Technical Tip: How to use FortiDeceptor to Detect and Mitigate the Spring4Shell vulnerability

Description

This article describes how FortiDeceptor Decoys can detect activities related to The Spring4Shell CVE-2022-22965 remote code execution vulnerability.

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

The specific exploit requires the application to run on Tomcat as a WAR deployment.

Cyber Deception Against cyber attacks that try to leverage Spring4Shell vulnerability

 

1) FortiDeceptor starts by deploying network decoys across the network segments that create a fake environment that simulates the real network and assets.

The 'Spring4Shell' exploit looks to attack web applications, so Network decoys like Ubuntu & CentOS with web server enabled will be deployed across several network locations such as Data Center/ DMZ / Cloud.

 

2) In addition, the FortiDeceptor customization module allows to generate a  decoy template from the customer gold image and deploy it across the network and in the customer data center.

The ability to deploy a Decoy that runs the customer gold image and part of the customer domain network will expand the attack surface for any malware or threat actor trying to leverage the 'Spring4Shell' vulnerability. In addition, this decoy will generate accurate threat intelligence and IOC's against the attack.
Scope

The Deception Decoys & lures against the 'Spring4Shell' vulnerability attacks can be used in FortiDeceptor V.3.3 and above.
Solution

Cyber Deception Against 'Spring4Shell' attacks:

 

1) Configure network segments under the 'Deployment Network' section that FortiDeceptor will use to deploy network decoys.

(Due to the nature of the attack, verify that the Data Center/ DMZ / Cloud segments where WEB servers located are covered).

 

2) Use the 'Customization' feature to deploy windows2016/2019 Decoy that runs Apache Tomcat or Windows IIS Server.

(See this video for technical instruction on how to use the customization module:

https://video.fortinet.com/products/fortideceptor/3.0/fortideceptor-windows-customization ).

 

3) Deploy network Decoys (Linux with WEB enabled) across the Data Center/ DMZ / Cloud segments network VLANs segments that are configured under the 'Deployment Network' section.

 

4) Once a threat actor or malware tries to penetrate a decoy with a web server, Fortideceptor will trigger a real-time alert.

 

5) FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolate the threat.

 

FortiDeceptor is Part of the Fortinet Security Fabric.

 

FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiSIEM, FortiAnalyzer, FortiSOAR, FortiEDR, and other Fabric solutions to automate the mitigation response based on attack detection.
Labels:
1031
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.