Experts have warned that alleged government hackers are actively exploiting two vulnerabilities in VMware (both rated 9.8 out of 10 on the CVSS scale) in the hope of infecting corporate networks with backdoors and other malware.
Back in April of this year, VMware experts discovered and fixed the RCE vulnerability CVE-2022-22954, as well as the privilege escalation vulnerability CVE-2022-22960.Also, let me remind you that we reported that RCE vulnerability in VMware vCenter is already under attack, and also that VMware fixes critical vulnerabilities in Carbon Black App Control.
According to a security bulletin released this week by the U.S. Infrastructure and Cyber Security Agency (CISA), the hackers were able to reverse both patches and create exploits in less than 48 hours, and then proceeded to attack the vulnerabilities.
After compromising a vulnerable device, attackers use the obtained root access to install the Dingo J-spy web shell. It is known that at least three unnamed organizations have already suffered from such attacks.
According to the CISA, APT groups, who are well-funded and technically advanced hackers who are usually behind the governments of various countries, are most likely responsible for these attacks.
Also this week, VMware warned customers to immediately fix another critical authentication bypass vulnerability “affecting local domain users” that can be used to gain administrative privileges. The vulnerability received the identifier CVE-2022-22972.
Another bug that was fixed this week is CVE-2022-22973 and can be used for local privilege escalation. Using this problem, attackers can elevate their rights to the root level.
The full list of VMware products affected by the latest vulnerabilities includes:
- VMware Workspace ONE Access;
- VMware Identity Manager (vIDM);
- VMware vRealize Automation (vRA);
- VMware Cloud Foundation;
- vRealize Suite Lifecycle Manager.
