Background
On April 2025, our security monitoring detected a targeted malware attack exploiting a critical vulnerability in Spring Framework 5.3.0. The attacker attempted a Remote Code Execution (RCE) via specially crafted HTTP POST requests, aiming to deploy a malicious JSP web shell (tomcatwar.jsp) within the NBN connection infrastructure.
The vulnerability, known as Spring4Shell, leveraged exposed classloader manipulation, a major risk for any unpatched Java applications.
Objective
- Detect and mitigate the active exploit attempt.
- Prevent unauthorized access or system compromise.
- Harden the infrastructure against similar future threats.
Approach
- Rapid Detection and Containment
- Malicious traffic was flagged at 03:16 UTC based on anomalous payload patterns.
- Immediate isolation of affected services prevented shell deployment.
- Firewall Rule Development
- A Python-based firewall (
firewall_server.py) was quickly developed. - The firewall inspected POST requests, blocking payloads containing suspicious Spring RCE patterns (e.g.,
class.module.classLoader.resources.context.parent.pipeline.first.*).
- A Python-based firewall (
- Patching and Hardening
- Immediate upgrade of the Spring Framework to the latest stable version.
- Enhanced Tomcat configurations to disallow unauthorized file writes.
- Audit and Validation
- Full forensic review confirmed no successful compromise or data breach.
- System integrity and operational stability were verified before returning services to production.
Results
- Threat neutralized within 3 hours.
- No customer impact or data exposure occurred.
- New firewall inspection layer added to bolster HTTP request filtering.
- Quarterly dependency review process established to prevent future incidents.
Key Lessons
- Rapid custom tooling (Python-based firewall) was critical in buying time during the attack.
- Up-to-date patching of software frameworks is vital for cybersecurity resilience.
- Early detection, clear communication, and swift isolation significantly reduced the threat impact.