Barracuda Networks, recently found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities while analysing the attacks and payloads between April to May 2022.
On April 6, VMware published a security advisory that listed multiple security vulnerabilities. One of the most severe vulnerabilities in this advisory is a server-side template injection issue, CVE-2022-22954.
This vulnerability allows an unauthenticated user with access to the web interface to execute any arbitrary shell command as the VMware user. The list of vulnerabilities also contained CVE-2022-22960, a local privilege escalation vulnerability in the affected products, which attackers could possibly chain.
VMware confirmed that exploitation of these vulnerabilities in the wild was already occurring. CVE-2022-22954 has a CVSS score of 9.8, and CVE-2022-22960 has a CVSS score of 7.8.
Exploit attempts were spotted for this vulnerability soon after the release of the advisory and the initial release of the proof of concept on GitHub.
The attacks have been consistent over time, barring a few spikes.
The majority of the attacks originated from the U.S. geographically, with most of them coming from data centers and cloud providers.
While the spikes are largely from these IP ranges, there were also consistent background attempts from known bad IPs in the UK and Russia.
Researchers explained that some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes.
The IPs discovered seems to host variants of the Mirai botnet malware a type of DDoS botnet attempts.
Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud Security, Barracuda said, “The best way to protect the systems is to apply the patches immediately, especially if the system is internet-facing, and to place a Web application firewall (WAF) in front of such systems, which will provide in-depth defense against zero-day attacks and other vulnerabilities, including Log4Shell.”
(Image courtesy: www.gbhackers.com)