Cyber Security Alert From CISA – Threat Actors Exploiting Multiple VMware Flaws

Threat Actors Exploiting Multiple VMware Flaws - LoughTec Cyber Security Company

We are actively monitoring the situation following an alert from CISA

The Cybersecurity and Infrastructure Security Agency (CISA) in the United States are currently monitoring several VMware vulnerabilities being exploited separately and in combination by threat actors for full system control.

In their Cybersecurity Advisory (CSA) released on the 18th of May 2022, they warn businesses that advanced persistent threat (APT) actors are actively exploiting two VMware vulnerabilities separately and in tandem.

Exploiting these vulnerabilities allows threat actors to trigger a server-side template injection that may result in remote code execution (RCE) or escalation of privileges to root.

These vulnerabilities, CVE-2022-22954 and CVE-2022-22960, affect certain versions of:

  • VMware Workspace ONE Access
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation, and
  • vRealize Suite Lifecycle Manager.

 

What Does This Mean for our Clients

Exploiting these vulnerabilities allows threat actors to trigger a server-side template injection that may result in remote code execution (RCE) or escalation of privileges to root. Based on the activity currently seen, CISA expects threat actors to quickly develop a way to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products.

CISA’s Recommendations

  • Immediately patch impacted VMware products to the latest version or remove impacted versions from organizational networks.
  • For all businesses with affected VMware products that are accessible from the internet that have not applied updates immediately, assume compromise and initiate threat hunting activities using the detection methods provided in the CSA.
  • If potential compromise is detected, apply the incident response recommendations included in the CSA.

 

Although LoughTec’s Security Operations Centre has not seen any indicators of compromise in our partner’s environments, we urge you to patch as soon as possible. We will continue to actively monitor the situation and are confident that our experienced MDR analysts and technology will continue to protect your business.

Contact Cyber Security Company LoughTec for a free no-obligation discussion on your business cyber security posture. Call +44 (0) 28 8225 2445 or email info@loughtec.com.

LoughTec: Watertight Cyber Security and IT Solutions