Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.

That’s according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well.

The security vulnerability carries a CVSS score of 9.8 and affects the VMware Workspace ONE Access and Identity Manager. Workspace ONE is VMware’s platform for delivering corporate applications to any device (a sort of juiced-up mobile device management solution), and the identity manager handles authentication to the platform. The bug allows remote code execution (RCE) via server-side template injection for attackers that have network access.

“A server-side template-injection issue may allow an unauthenticated user with access to the Web interface to execute any arbitrary shell command as the VMware user,” Mike Goldgof, Barracuda’s senior director of product marketing for data protection, network, and application security, tells Dark Reading. “In effect, a hacker can bring down the system, extract data, inject ransomware, etc.”

“Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch,” Goldgof noted. "[And] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets."

The activity sometimes involves a second bug (CVE-2022-22960, CVSS score of 7.8), which is a local privilege escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation (a platform for creating private clouds). The bug arises because of improper permissions in support scripts, according to VMware’s advisory, and could allow attackers with local access to achieve root privileges.

In this case, it’s being chained with the previous flaw for a full exploitation vector, Barracuda noted.

VMware disclosed the bugs in April, and soon thereafter, a proof-of-concept (PoC) exploit was released on GitHub and tweeted out to the world. Unsurprisingly, researchers from multiple security firms started seeing probes and exploit attempts very soon thereafter — and the hits just keep coming.

“Any serious vulnerability in a broadly used platform or application is cause for concern. Threat actors are always looking for an opportunity to hit multiple targets with minimal effort,” Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. “VMware is one of the most popular virtualization platforms around, and often runs on powerful iron with multiple applications running on top of it. This gives an attacker multiple reasons to go after VMware servers.”

VMware Payloads du Jour
Barracuda researchers noticed that most of the probing in its telemetry now is for the VMware RCE vulnerability, using the PoC code from GitHub. Most of the actual exploit attempts meanwhile are now primarily from botnet operators, especially IPs hosting variants of the Mirai distributed denial-of-service (DDoS) botnet malware, along with a few EnemyBot samples (another DDoS baddie).

Otherwise, “some Log4Shell exploit attempts were also seen in the data,” researchers noted.

As for who’s behind the attacks, most originate in the US (76%), mostly emanating from data centers and cloud providers. However, the researchers also found “consistent background attempts” from Russian IP addresses that are well known to be affiliated with opportunistic cybercrime cartels.

“Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes,” the researchers explained.

In April, another set of attacks was flagged, with a very different aim. An Iranian cyber-espionage group known as Rocket Kitten was seen exploiting the CVE-2022-22954 RCE to deliver the Core Impact penetration testing tool on vulnerable systems. And in another batch of April activity, cryptominers reportedly made their way into the exploitation-palooza lineup.

After several initial spikes in April, the interest levels in triggering these vulnerabilities have been holding steady, according to Barracuda, and the firm expects the scanning and exploitation attempts to continue for some time.

The best defense against this spate of attacks (and most botnet and Log4Shell activity) is Security 101 — i.e., patching. Defenders can also build in an extra layer of protection with a Web application firewall (WAF), adding “defense in depth against zero-day attacks and other vulnerabilities,” according to Barracuda’s Tuesday writeup.

It’s important for companies to hop on patches for popular platforms as soon as vendor disclosures come out, Goldgof notes.

“Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch,” he says. "[And] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets."