UPDATE: June 2, 2022: The Cybersecurity and Infrastructure Security Agency (CISA) confirmed two compromises of VMware vulnerabilities that surfaced in April, according to an advisory update Thursday.
The incursions, initiated by multiple threat actors, hit the pair of enterprises after VMware disclosed vulnerabilities and released updates to patch impacted software. CISA identified additional indicators of compromise, including detection signatures, malicious scripts and IPs, techniques and procedures used by threat actors in the wild.
The agency encouraged enterprises to reference the updated details to search for signs of post-exploitation activities and report incidents to CISA.
- VMware customers are under active threat from an adversary exploiting multiple vulnerabilities to remotely execute malicious code and perform root privilege escalation, CISA warned in an emergency directive Wednesday.
- The full system control exploits resurfaced after malicious cyber actors, likely advanced persistent threat actors, successfully reverse engineered updates VMware released in early April to address multiple vulnerabilities. Threat actors outmaneuvered VMware’s previous patches and developed an exploit within 48 hours, according to CISA.
- CISA directed all 101 federal civilian executive branch agencies to identify all instances of the affected VMware products and deploy a pair of patches the vendor released in a security advisory Wednesday or remove the instances from their networks.
This is the latest in an ongoing security saga for VMware, a vendor threat actors have prodded frequently in the last year.
VMware products are a common and recurring target for threat actors. Log4Shell vulnerabilities in VMware Horizon were exploited to create web shells in January 2022, less than a month after the vendor issued security updates following initial Log4j vulnerability disclosures. Days later, threat actors were installing Cobalt Strike implants in multiple VMware Horizon servers.
Recent security shortcomings, however, have left stakeholders questioning whether fixes will stick. CISA conveyed concerns over VMware’s latest patches, citing threat actors' previous ability to quickly circumvent the vendor’s prescribed fixes.
“Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18,” CISA wrote in the emergency directive.
The vulnerabilities have the potential for severe damage, rating high on the common vulnerability scoring system, VMware found. The authentication bypass vulnerability, CVE-2022-22972, earned a 9.8 score while the local privilege escalation vulnerability, CVE-2022-22973, received a 7.8.
Impacted products include VMware’s Workspace ONE Access, Identity Manager, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. The vendor also warned customers that VMware Identity Manager can authenticate and authorize access to other products, potentially extending the risk to NSX, vRealize Operations, vRealize Log Insight and vRealize Network Insight.
Malicious actors can exploit the vulnerabilities to obtain administrative access without the need to authenticate and escalate privileges to root with local access, according to VMware. “The ramifications of this vulnerability are serious,” VMware wrote in a corollary FAQ.
Organizations using affected VMware products that are accessible online should assume they’ve been compromised and initiate threat-hunting activities, according to CISA. Enterprises or government agencies that detect a potential compromise are advised to follow incident response guidance detailed in CISA’s cybersecurity advisory.