Update 1 to CISA Alert AA22-138B – Threat actors chaining unpatched VMware vulnerabilities for full system control.
This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One Three Eight Bravo update One.
Update released: June second, twenty twenty two.
Malicious cyber actors are actively exploiting multiple critical vulnerabilities in VMware products. Successful exploitation allows malicious actors to trigger a server-side template injection that may result in remote code execution or escalation of privileges to root level access.
CISA has updated this alert with additional indicators of compromise, detection signatures, and threat actor TTPs from trusted third parties to assist administrators with detecting and responding to this activity.
Based on this threat activity, CISA has released Emergency Directive twenty two dash zero three, requiring emergency action from Federal Civilian Executive Branch agencies to immediately implement updates or remove the affected software from their network. This directive can be found in the show notes.
Due to the rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with VMware products who did not immediately apply patches to assume compromise and initiate threat hunting activities. Detection methods are provided in the alert documentation. If potential compromise is detected, administrators should apply the incident response procedures included in this alert.
Two confirmed compromises against separate victim organizations are outlined in the alert documentation. Victim 1 reports at least two distinct threat actors gained access to a public-facing server running VMWare Workspace One Access. The threat actors executed malicious shell scripts, collected and exfiltrated sensitive data, installed multiple webshells, and installed a reverse secure socket proxy.
Victim 2 provided CISA with malicious bash scripts related to the compromise of their systems by threat actors. New signatures for these activities, as well as detection methods, indicators of compromise, threat advisories, mitigation actions, and remediation strategies are listed in the alert documentation listed in the show notes.
All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at email@example.com or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.