Description |
This article describes how FortiDeceptor Decoys can detect activities related to The Spring4Shell CVE-2022-22965 remote code execution vulnerability. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. Cyber Deception Against cyber attacks that try to leverage Spring4Shell vulnerability
1) FortiDeceptor starts by deploying network decoys across the network segments that create a fake environment that simulates the real network and assets. The 'Spring4Shell' exploit looks to attack web applications, so Network decoys like Ubuntu & CentOS with web server enabled will be deployed across several network locations such as Data Center/ DMZ / Cloud.
2) In addition, the FortiDeceptor customization module allows to generate a decoy template from the customer gold image and deploy it across the network and in the customer data center. The ability to deploy a Decoy that runs the customer gold image and part of the customer domain network will expand the attack surface for any malware or threat actor trying to leverage the 'Spring4Shell' vulnerability. In addition, this decoy will generate accurate threat intelligence and IOC's against the attack. |
Scope |
The Deception Decoys & lures against the 'Spring4Shell' vulnerability attacks can be used in FortiDeceptor V.3.3 and above. |
Solution |
Cyber Deception Against 'Spring4Shell' attacks:
1) Configure network segments under the 'Deployment Network' section that FortiDeceptor will use to deploy network decoys. (Due to the nature of the attack, verify that the Data Center/ DMZ / Cloud segments where WEB servers located are covered).
2) Use the 'Customization' feature to deploy windows2016/2019 Decoy that runs Apache Tomcat or Windows IIS Server. (See this video for technical instruction on how to use the customization module: https://video.fortinet.com/products/fortideceptor/3.0/fortideceptor-windows-customization ).
3) Deploy network Decoys (Linux with WEB enabled) across the Data Center/ DMZ / Cloud segments network VLANs segments that are configured under the 'Deployment Network' section.
4) Once a threat actor or malware tries to penetrate a decoy with a web server, Fortideceptor will trigger a real-time alert.
5) FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolate the threat.
FortiDeceptor is Part of the Fortinet Security Fabric.
FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiSIEM, FortiAnalyzer, FortiSOAR, FortiEDR, and other Fabric solutions to automate the mitigation response based on attack detection. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.