CISA issues directive for exploited VMware bug after IR team deployed to ‘large’ org

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Wednesday ordering federal civilian agencies to patch critical vulnerabilities in VMware products.

CISA said it released the notice after deploying an incident response team “to a large organization where the threat actors exploited CVE-2022-22954” — the name given to a recently-discovered remote code execution vulnerability.

“Additionally, CISA has received information—including indicators of compromise (IOCs)—about observed exploitation at multiple other large organizations from trusted third parties,” CISA explained

Since April, cybersecurity experts have warned that state-backed actors are exploiting the bugs – CVE 2022-22954 and CVE 2022-22960 – which affect widely-used products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

In the emergency directive, CISA said VMware released updates for the issues on April 6, but hackers managed to reverse engineer the update and begin exploitation of VMware products that were unpatched within 48 hours of the update’s release.

“CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action,” CISA explained. 

The agency noted that they expect hackers to “quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products.”

Threat actors are chaining the vulnerabilities together during attacks, according to third party reports sent to CISA. 

“At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user,” the agency explained. 

“The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.”

Another incident spotted by CISA on April 13 found hackers using CVE-2022-22954 to drop the Dingo J-spy webshell. Webshells are malicious scripts that enable threat actors to compromise web servers and launch additional attacks.

CISA noted that other cybersecurity entities have seen attackers use the Dingo J-spy webshell. The agency said it will release further updates as it analyzes the malware. 

CISA said it has confirmed that CVE-2022-22954 and CVE-2022-22960 have been exploited in the wild and published the emergency directive because of “the likelihood of future exploitation” as well as “the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”

Federal civilian agencies are required to comply with the directive alongside “systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.”

The latest updates issued by VMware must now be implemented by 5 pm on May 23. CISA noted that any instances of impacted VMware products that were accessible from the internet should be assumed to be compromised. 

The agency ordered directors to immediately disconnect the products from the production network and contact them. Networks will only be reconnected “after threat hunt activities are complete with no anomalies detected and updates are applied.”

By May 24, all agencies need to report to CISA about their investigation of the issue. 

Barracuda's Mike Goldgof told The Record that abuse of CVE-2022-22954 would allow a hacker to bring down a system, extract data, inject ransomware, and more.

Tushar Richabadas, lead researcher for Barracuda, said the vulnerability "has been added to the regular rotation of vulnerabilities that are scanned for by threat actors."

"Given how damaging it can be if a VMware installation is exploited by this vulnerability, we’ll see low levels of continual scanning for this vulnerability for quite some time, similar to other VMware vulnerabilities from last year," Richabadas said.

"Any vulnerable VMware installation that can be exploited to be used as part of a DDoS botnet, implanted with a coin miner or used to stage deeper incursions into the network hosting the exploited application. I would not be surprised if these are used to spread ransomware infections into exploited networks – we did see attempts at that with Log4Shell, per Microsoft back in January, with an earlier VMware vulnerability."

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.