CISA orders US federal agencies to implement patches ASAP

John Leyden 19 May 2022 at 15:14 UTC

CISA orders US federal agencies to implement patches ASAP

US Federal agencies have been instructed to either immediately patch or temporarily deactivate a set of enterprise products from VMware in response to “active and expected exploitation of multiple vulnerabilities”.

An emergency directive from the US Cybersecurity and Infrastructure Security Agency (CISA) urges patching of VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

If prompt patching is impractical then federal agencies are instructed to remove instances of vulnerable products from agency networks.

**Act fast**

Attackers have reverse engineered recently disclosed software vulnerabilities in the various VMware products in order to develop exploits and attack unpatched systems.

The tactic has already resulted in active exploitation of CVE-2022-22954 and CVE-2022-22960, with more abuse along the same lines likely to follow.

YOU MIGHT ALSO LIKE Popular websites leaking user email data to web tracking domains

“Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022,” an alert from the agency warns.

In a related advisory issued by VMware on Wednesday (May 18), the vendor explained that it had patched an authentication bypass vulnerability (CVE-2022-22972) and a local privilege escalation vulnerability (CVE-2022-22973) involving VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

The CVE-2022-22954 vulnerability already under active attack involves a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager that poses a remote code execution risk. The flaw earned a CVSS score of 9.8, close to the maximum possible.

Catch up on the latest cyber-attack news

The CVE-2022-22960 flaw involves a lesser but still high-risk privilege escalation vulnerability involving VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

Both flaws have come under active attack, just days after the release of patches, security vendor Barracuda Networks reports:

The vast majority of the attacks came in from the US geographically, with most of them coming in from data centers and cloud providers. While the spikes are largely from these IP ranges, there are also consistent background attempts from known bad IPs in Russia. Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes.

The motive behind the attacks remains unclear.

Although the unusual emergency action advisory is primarily directed at US federal agencies, CISA is urging other enterprise organizations to either update or remove installations of the affected products from their networks.

Vulnerable, internet-accessible installations of affected products should be treated as already potentially compromised, CISA adds.

RECOMMENDED Rogue cloud users could sabotage fellow off-prem tenants via critical Flux flaw

Active attacks against VMware flaws prompts emergency update directive

Mischief-makers could ‘disrupt the availability, integrity and confidentiality’ of other tenants

Mischief-makers could ‘disrupt the availability, integrity and confidentiality’ of other tenants

A critical vulnerability in Flux2, the continuous delivery (CD) tool for Kubernetes, can enable rogue tenants in multi-tenancy deployments to sabotage ‘neighbors’ using the same off-premise infrastructure.

Flux is an open and extensible CD solution for keeping Kubernetes clusters in sync with configuration sources, and is used by Maersk, Volvo, SAP, Deutsche Telekom, and Grafana Labs, among other companies.

As version 2 of the tool, Flux2 introduced multi-tenancy support, among other features.

**Improper kubeconfig validation**

Now patched, the remote code execution (RCE) flaw arises through improper validation of kubeconfig files, which “can define commands to be executed to generate on-demand authentication tokens”, according to a security advisory posted on GitHub on Tuesday (May 17).

“Flux2 can reconcile the state of a remote cluster when provided with a kubeconfig file with the correct access rights.”

RELATED DevSecOps and cybersecurity skills are top priorities for enterprise IT – report

Paulo Gomes, senior software engineer at Weaveworks, a Cloud Native Computing Foundation (CNCF) member company that originated GitOps and provides support for Flux and Kubernetes, elaborated: “Flux can synchronize the declared state defined in a Git repository against the cluster in which it is installed, which is the most commonly used approach. Or it can target a remote cluster instead,” he told The Daily Swig.

“The access required for targeting remote clusters largely depends on the intended scope. This is completely flexible and relies on Kubernetes’ RBAC having a wide range of granularity (from a single resource to the entire cluster).”

The upshot, according to the advisory, is that “a malicious user with write access to a Flux source or direct access to the target cluster, could craft a kubeconfig to execute arbitrary code inside the controller’s container”.

**CVSS disparity**

The vulnerability is considerably less dangerous in single-tenant cloud deployments, which accounts for it scoring only 6.8 under the older, CVSS v2 rating system, making the bug medium severity.

“The reason being, an attacker would require almost the same amount of privileges it would gain by exploiting it,” said Gomes.

Catch up with the latest cloud security news

However, the flaw is rated 9.9 according to the latest CVSS version, v3.1, since it introduced a metric around changes of ‘scope’, and – as First describes the ‘changed’ scope metric – the “vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component”.

This is because attackers can also achieve privilege escalation to cluster admin in multi-tenancy environments, provided that the controller’s service account has elevated permissions.

“In the worse-case scenario, a rogue tenant could disrupt the availability, integrity and confidentiality of other tenants,” said Gomes. “The impact would depend on how the cluster and tenants were configured.

“Theoretically, a rogue tenant could deploy applications into other tenants’ clusters for example. But the impact could be reduced by other security controls in place (i.e. admission controllers, OPA, etc).”

**Patches and workarounds**

This vulnerability, which was discovered by the maintainers of Flux, was fixed in Flux2 version v0.29.0, and in Kubernetes operators kustomize-controller (patched in v0.23.0) and helm-controller (v0.19.0).

“Starting from the fixed versions, both controllers disable the use of command execution from kubeconfig files by default, \[so\] users have to opt-in by adding the flag to the controller’s command arguments,” explains the advisory.

“Users are no longer allowed to refer to files in the controller’s filesystem in the kubeconfig files provided for the remote apply feature.”

In lieu of applying updates, users can protect themselves by disabling the vulnerable functionality via Validating Admission webhooks such as OPA Gatekeeper or Kyverno.

They can also apply restrictive AppArmor and SELinux profiles on the controller’s pod to limit which binaries can be executed.

DON’T FORGET TO READ Brace of Icinga web vulnerabilities ‘easily chained’ to hack IT monitoring software

Rogue cloud users could sabotage fellow off-prem tenants via critical Flux flaw

CISA has issued severe warnings about disclosed vulnerabilities in VMWare products that are actively being exploited, probably by APT threat actors.
The post VMWare vulnerabilities are actively being exploited, CISA warns appeared first on Malwarebytes Labs.

The Cybersecurity & Infrastructure Security Agency has issued an Emergency Directive ED 22-03 and released a Cybersecurity Advisory (CSA) about ongoing, and expected exploitation of multiple vulnerabilities in several VMware products.

**Chaining unpatched VMware vulnerabilities**

The title of the advisory is “Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control”. That’s a bit confusing since there are patches available for these vulnerabilities, but threat actors are actively attacking unpatched systems.

The advisory warns organizations that malicious threat actors, most likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.

**CVE-2022-22954**: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Server-side template injection is when an attacker is able to inject a malicious payload into a template, which is then executed server-side.

**CVE-2022-22960**: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to root.

Both these vulnerabilities were patched on April 6, 2022. But it took malicious threat actors less than 48 hours to reverse engineer the vendor updates to develop an exploit and start exploiting these disclosed vulnerabilities in unpatched devices.

On May 18, 2022, CISA said it expects malicious threat actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973 as well.

**CVE-2022-22972**: is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users. In order to exploit this vulnerability, a remote attacker capable of accessing the respective user interface could bypass the authentication for these various products.

**CVE-2022-22973**: is a local privilege escalation vulnerability in the VMware Workspace ONE Access and Identity Manager. In order to exploit this vulnerability, an attacker would need to have local access to the vulnerable instances of Workspace ONE Access and Identity Manager. Successful exploitation would allow an attacker to gain “root” privileges.

**Mitigation**

CISA strongly encourages all organizations to deploy the updates provided in VMware Security Advisory VMSA-2022-0014 or remove those instances from networks. CISA added CVE-2022-22954 and CVE-2022-22960 to its catalog of known exploited vulnerabilities, and federal, executive branch, departments, and agencies were all required to patch those vulnerabilities by May 5 and May 6 respectively. It stands to reason that the two new vulnerabilities will follow suit.

CISA encourages organizations with affected VMware products that are accessible from the Internet to assume they have been compromised and to initiate threat hunting activities. To help with the threat hunting, CISA has provided detection methods and indicators of Compromise (IOCs) in the CSA.

In the Response Matrix, as listed in the VMWare advisory, you can find the impacted products and versions.

VMWare vulnerabilities are actively being exploited, CISA warns

VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks.
The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior

VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks.

The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior authentication.

CVE-2022-22973 (CVSS score: 7.8), the other bug, is a case of local privilege escalation that could enable an attacker with local access to elevate privileges to the "root" user on vulnerable virtual appliances.

"It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments," VMware said.

The disclosure follows a warning from the U.S. Cybersecurity and Infrastructure Agency (CISA) that advanced persistent threat (APT) groups are exploiting CVE-2022-22954 and CVE-2022-22960 — two other VMware flaws that were fixed early last month — separately and in combination.

"An unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user," it said. "The actor then exploited CVE-2022-22960 to escalate the user's privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems."

On top of that, the cybersecurity authority noted that threat actors have deployed post-exploitation tools such as the Dingo J-spy web shell in at least three different organizations.

IT security company Barracuda Networks, in an independent report, said it has observed consistent probing attempts in the wild for CVE-2022-22954 and CVE-2022-22960 soon after the shortcomings became public knowledge on April 6.

More than three-fourths of the attacker IPs, about 76%, are said to have originated from the U.S., followed by the U.K. (6%), Russia (6%), Australia (5%), India (2%), Denmark (1%), and France (1%).

Some of the exploitation attempts recorded by the company involve botnet operators, with the threat actors leveraging the flaws to deploy variants of the Mirai distributed denial-of-service (DDoS) malware.

The issues have also prompted CISA to issue an emergency directive urging federal civilian executive branch (FCEB) agencies to apply the updates by 5 p.m. EDT on May 23 or disconnect the devices from their networks.

"CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products," the agency said.

The patches arrive a little over a month after the company rolled out an update to resolve a critical security flaw in its Cloud Director product (CVE-2022-22966) that could be weaponized to launch remote code execution attacks.

**CISA warns of active exploitation of F5 BIG-IP CVE-2022-1388**

It's not just VMware that's under fire. The agency has also released a follow-up advisory with regards to the active exploitation of CVE-2022-1388 (CVSS score: 9.8), a recently disclosed remote code execution flaw affecting BIG-IP devices.

CISA said it expects to "see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

VMware Releases Patches for New Vulnerabilities Affecting Multiple Products

Last month attackers quickly reverse-engineered VMware patches to launch RCE attacks. CISA warns it's going to happen again.

The Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive requiring federal civilian executive branch agencies to update their VMware products impacted by a pair of new vulnerabilities or remove them from their networks.

The VMware bugs – CVE-2022-22972 and CVE-2022-22973 – expose several VMware products to remote code-execution (RCE) attacks. 

CISA said that last month, within just 48 hours of VMware patching its VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, advanced persistent threat (APT) actors were able to reverse-engineer the updates to launch attacks. 

"These vulnerabilities pose an unacceptable risk to federal network security," CISA director said Jen Easterly in a statement. "CISA has issued this emergency directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government's lead and take similar steps to safeguard their networks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA to Federal Agencies: Patch VMware Products Now or Take Them Offline

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server.

CVE-2022-22784: Security Bulletin

Transparency and inter-team collaboration key amid escalating threats and compliance requirements

Transparency and inter-team collaboration key amid escalating threats and compliance requirements

Enterprise IT personnel believe cybersecurity skills are their teams’ most important technical capabilities, according to a new report from the DevOps Institute.

Ninety-two percent of respondents to the ‘Upskilling IT 2022’ survey identified security proficiencies as either ‘critical’ or ‘important’ to the execution of their team’s duties.

Next on the league table of ‘must-have technical skills’ was demonstrable knowledge of cloud computing technologies, followed by container orchestration, modern computing technology and architectures, and application technologies.

**Must-have frameworks**

Cited as ‘critical’ or ‘important’ by 93% of those polled, DevOps and DevSecOps topped the rankings for “must-have processes and frameworks” for enterprise IT staff.

The DevOps model is geared towards automating and integrating IT and software development functions, while DevSecOps aims to embed security as a priority and shared responsibility throughout the development lifecycle.

The next most important operating models, according to respondents, were agile practices, site reliability engineering (SRE), design or system thinking, and IT Infrastructure Library (ITIL).

Catch up with the latest DevSecOps news

The relationship between DevOps teams and security personnel is improving, contends the DevOps Institute, with 46% agreeing there was close collaboration between the two teams within their organization, as demonstrated by regular joint meetings and productive use of other communication channels.

Another 28% said there was ‘some’ collaboration between the teams. However, only a small minority intimated that the DevSecOps dream had been fully realized, with 6% claiming that the DevOps and security teams had truly merged into a single unit.

“In a world of escalating threats and increasingly ramped up compliance requirements, transparency, collaboration, and context among development, operations, and security teams is absolutely critical,” David DeSanto, GitLab vice president of product, is quoted as saying in the report.

**‘Human skill gaps’**

Now on its fourth edition, the report also reveals that teams are spending 54% of their time on tool-related upskilling or training, but are impeded by time constraints more than any other factor.

“I am tempted to conclude the following: individuals are saying ‘upskilling is not a priority for me unless it is technical’,” said the DevOps Institute’s chief research officer, Eveline Oehrlich, in a press release.

“I would advise taking a look at the human skill gaps, which (according to our survey) are collaboration and cooperation, creativity, and entrepreneurship and interpersonal skills. Unfortunately, without developing these human skills, success, and outcomes will be difficult to achieve.”

The DevOps Institute, a membership-based professional association and certification authority, polled 2,476 survey respondents involved in application development in 120 countries.

The report is available in global, Americas, EMEA, and APAC versions.

YOU MIGHT ALSO LIKE SharePoint RCE bug resurfaces three months after being patched by Microsoft

DevSecOps and cybersecurity skills are top priorities for enterprise IT – report

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Recently reported VMware bugs are being used by hackers who are focused on using them to deliver Mirai denial-of-service malware and exploit the Log4Shell vulnerability.

Security researchers at Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960, both reported last month.

“Barracuda researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960” reported by Barracuda.

VMware published an advisory on April 6, 2022, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954 with a CVSS score of 9.8, the bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.

The other bug involved CVE-2022-22960 (CVSS score 7.8), is a local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. According to the advisory by VMware, the bug arises due to improper permission in support scripts allowing an attacker with local access to gain root privileges.

The VMware Workspace One is an intelligent-drive workspace platform that helps to manage any app on any device in a secure and simpler manner. The Identity manager handles the authentication to the platform and vRealize Automation is a DevOps-based infrastructure management platform for config of IT resources and automating the delivery of container-based applications.

****Exploitation Occurred After PoC Release****

The Barracuda researchers noted that the previous flaws are chained together for a potential full exploitation vector.

After the bug was disclosed by VMware in April, a proof-of-concept (PoC) was released on Github and shared via Twitter.

“Barracuda researchers started seeing probes and exploit attempts for this vulnerability soon after the release of the advisory and the initial release of the proof of concept on GitHub,” reported Barracuda.

After the release of PoC, the spike in attempts is noticed by the researcher, they classified it as a probe rather than actual attempts to exploit.

“The attacks have been consistent over time, barring a few spikes, and the vast majority of them are what would be classified as probes rather than actual exploit attempts,” they added.

The researchers at Barracuda also revealed that most of the exploit attempts are primarily from botnet operators, the IPs discovered still seem to host variants of the Mirai distributed-denial-of-service (DDoS) botnet malware, along with some Log4Shell exploits and low levels of EnemyBot (a type of DDoS botnet) attempts.

The majority of the attacks (76 percent) originated from the U.S. geographically, with most of them coming from data centers and cloud providers. The researcher added that there is a spike in IP addresses from the UK and Russia and about (6 percent) of the attacks emanate from these locations.

The researchers noted, “there are also consistent background attempts from known bad IPs in Russia.”

“Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes,” researchers explained

According to Barracuda “the interest levels on these vulnerabilities have stabilized” after the initial spike in April, the researcher expected to analyze low-level scanning and attempts for some time.

The best way to protect the systems is to apply the patches immediately, especially if the system is internet-facing, and to place a Web application firewall (WAF) in front of such systems “will add to defense in depth against zero-day attacks and other vulnerabilities, including Log4Shell,” advised by Barracuda.

April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.

That's according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well.

The security vulnerability carries a CVSS score of 9.8 and affects the VMware Workspace ONE Access and Identity Manager. Workspace ONE is VMware's platform for delivering corporate applications to any device (a sort of juiced-up mobile device management solution), and the identity manager handles authentication to the platform. The bug allows remote code execution (RCE) via server-side template injection for attackers that have network access.

"A server-side template-injection issue may allow an unauthenticated user with access to the Web interface to execute any arbitrary shell command as the VMware user," Mike Goldgof, Barracuda's senior director of product marketing for data protection, network, and application security, tells Dark Reading. "In effect, a hacker can bring down the system, extract data, inject ransomware, etc."

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," Goldgof noted. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets." 

The activity sometimes involves a second bug (CVE-2022-22960, CVSS score of 7.8), which is a local privilege escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation (a platform for creating private clouds). The bug arises because of improper permissions in support scripts, according to VMware's advisory, and could allow attackers with local access to achieve root privileges. 

In this case, it's being chained with the previous flaw for a full exploitation vector, Barracuda noted.

VMware disclosed the bugs in April, and soon thereafter, a proof-of-concept (PoC) exploit was released on GitHub and tweeted out to the world. Unsurprisingly, researchers from multiple security firms started seeing probes and exploit attempts very soon thereafter — and the hits just keep coming. 

"Any serious vulnerability in a broadly used platform or application is cause for concern. Threat actors are always looking for an opportunity to hit multiple targets with minimal effort," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "VMware is one of the most popular virtualization platforms around, and often runs on powerful iron with multiple applications running on top of it. This gives an attacker multiple reasons to go after VMware servers."

**VMware Payloads du Jour**  
Barracuda researchers noticed that most of the probing in its telemetry now is for the VMware RCE vulnerability, using the PoC code from GitHub. Most of the actual exploit attempts meanwhile are now primarily from botnet operators, especially IPs hosting variants of the Mirai distributed denial-of-service (DDoS) botnet malware, along with a few EnemyBot samples (another DDoS baddie).

Otherwise, "some Log4Shell exploit attempts were also seen in the data," researchers noted.

As for who's behind the attacks, most originate in the US (76%), mostly emanating from data centers and cloud providers. However, the researchers also found "consistent background attempts" from Russian IP addresses that are well known to be affiliated with opportunistic cybercrime cartels.

"Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes," the researchers explained.

In April, another set of attacks was flagged, with a very different aim. An Iranian cyber-espionage group known as Rocket Kitten was seen exploiting the CVE-2022-22954 RCE to deliver the Core Impact penetration testing tool on vulnerable systems. And in another batch of April activity, cryptominers reportedly made their way into the exploitation-palooza lineup.

After several initial spikes in April, the interest levels in triggering these vulnerabilities have been holding steady, according to Barracuda, and the firm expects the scanning and exploitation attempts to continue for some time.

The best defense against this spate of attacks (and most botnet and Log4Shell activity) is Security 101 — i.e., patching. Defenders can also build in an extra layer of protection with a Web application firewall (WAF), adding "defense in depth against zero-day attacks and other vulnerabilities," according to Barracuda's Tuesday writeup.

It's important for companies to hop on patches for popular platforms as soon as vendor disclosures come out, Goldgof notes.

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," he says. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets."

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

By Deeba Ahmed
Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems. The Microsoft…
This is a post from HackRead.com Read the original post: New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer

Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems.

The Microsoft Security Intelligence team posted a series of tweets on their official Twitter handle (@MsftSecIntel) to reveal startling details on the new variant of the notorious Sysrv botnet dubbed Sysrv-K.

According to the thread, the new variant exploits vulnerabilities recently identified in the Spring Framework’s API gateway called the Spring Cloud Gateway and WordPress and deploys cryptocurrency miners on Windows and Linux systems.

**How does the Botnet work?**

According to Microsoft, the botnet first scans the web to identify vulnerable servers and installs itself. The vulnerabilities it looks for include remote file disclosure, remote code execution, path traversal, and arbitrary file download.

The tech giant noted that Sysrv-K exploits numerous old flaws, particularly those identified in WordPress, as well as new vulnerabilities like CVE-2022-22947, which has a CVSS score of 10 and affects the Spring Cloud Gateway and Oracle’s Communications Cloud-Native Core Network Exposure Function.

The vulnerability exposes apps to code injection attacks and allows unauthorized attackers to carry out remote code execution. Interestingly, all these vulnerabilities have patches.

**Details of Sysrv and Sysrv-K**

The Sysrv botnet has been active since late 2020 and exploits known security flaws in access interfaces to install a Monero crypto miner on compromised Windows and Linux systems. The older version of the botnet targeted databases and web apps, such as Confluence, Jira, MongoDB, Oracle WebLogic, ThinkPHP, Mongo-Express, Drupal, Apache Struts, and Salt-API, reported Juniper in 2021.

The new version comes with a range of new features. Such as it can scan for WordPress configuration files and their backups to extract database credentials. The botnet uses the information to control the webserver.

Additionally, it boasts advanced communication features, including using a Telegram bot. It can scan for SSH keys, hostnames, and IP addresses and spread its copies across the network to infect the entire network and make it a part of its botnet army.

Microsoft Security Intelligence team on Twitter

**More Linux and Windows Botnet News**

1.  Old crypto-malware makes come back, hits Windows, Linux devices
2.  Kraken botnet bypasses Windows Defender to steal crypto wallet data
3.  HolesWarm crypto-malware hits unpatched Linux and Windows servers
4.  Beware; Adwind RAT infecting Windows, OS X, Linux and Android Devices
5.  Linux & Windows hit with disk wiper, ransomware & crypto Xbash malware

**How to Stay Safe?**

Microsoft suggests that organizations using internet-exposed Linux or Windows systems must install security updates immediately as it is imperative to secure these systems. They must ensure “building credential hygiene” and timely apply security updates.

Tag

#rce