Recently reported VMware bugs are being used by hackers who are focused on using them to deliver Mirai denial-of-service malware and exploit the Log4Shell vulnerability.
“Barracuda researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960” reported by Barracuda.
VMware published an advisory on April 6, 2022, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954 with a CVSS score of 9.8, the bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.
The other bug involved CVE-2022-22960 (CVSS score 7.8), is a local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. According to the advisory by VMware, the bug arises due to improper permission in support scripts allowing an attacker with local access to gain root privileges.
The VMware Workspace One is an intelligent-drive workspace platform that helps to manage any app on any device in a secure and simpler manner. The Identity manager handles the authentication to the platform and vRealize Automation is a DevOps-based infrastructure management platform for config of IT resources and automating the delivery of container-based applications.
Exploitation Occurred After PoC Release
The Barracuda researchers noted that the previous flaws are chained together for a potential full exploitation vector.
After the bug was disclosed by VMware in April, a proof-of-concept (PoC) was released on Github and shared via Twitter.
“Barracuda researchers started seeing probes and exploit attempts for this vulnerability soon after the release of the advisory and the initial release of the proof of concept on GitHub,” reported Barracuda.
After the release of PoC, the spike in attempts is noticed by the researcher, they classified it as a probe rather than actual attempts to exploit.
“The attacks have been consistent over time, barring a few spikes, and the vast majority of them are what would be classified as probes rather than actual exploit attempts,” they added.
The researchers at Barracuda also revealed that most of the exploit attempts are primarily from botnet operators, the IPs discovered still seem to host variants of the Mirai distributed-denial-of-service (DDoS) botnet malware, along with some Log4Shell exploits and low levels of EnemyBot (a type of DDoS botnet) attempts.
The majority of the attacks (76 percent) originated from the U.S. geographically, with most of them coming from data centers and cloud providers. The researcher added that there is a spike in IP addresses from the UK and Russia and about (6 percent) of the attacks emanate from these locations.
The researchers noted, “there are also consistent background attempts from known bad IPs in Russia.”
“Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes,” researchers explained
According to Barracuda “the interest levels on these vulnerabilities have stabilized” after the initial spike in April, the researcher expected to analyze low-level scanning and attempts for some time.
The best way to protect the systems is to apply the patches immediately, especially if the system is internet-facing, and to place a Web application firewall (WAF) in front of such systems “will add to defense in depth against zero-day attacks and other vulnerabilities, including Log4Shell,” advised by Barracuda.