APT Actors Seen Chaining Unpatched VMware Vulnerabilities, CISA Warns

May 24, 2022 - The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about unpatched VMware vulnerabilities that advanced persistent threat (APT) actors are leveraging to gain full system control. Because VMware products are so widely used, the warnings apply to organizations in all critical infrastructure sectors.

In addition, CISA specifically issued an emergency directive requiring all Federal Civilian Executive Branch agencies to enumerate all instances of impacted VMware products by May 23.

CISA has observed threat actors leveraging two vulnerabilities (CVE-2022-22954 and CVE-2022-22960) both together and separately to exploit victims. The vulnerabilities impact certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

Exploiting these vulnerabilities allows threat actors to set off a server-side template injection that could then result in remote code execution (RCE) or escalation of privileges to root.

“VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices,” CISA explained.

These methods are especially concerning because threat actors were able to adapt and develop new capabilities quickly. CISA said it expects malicious cyber actors to develop a capability to exploit the newly released vulnerabilities (CVE-2022-22972 and CVE-2022-22973) within the same VMware products.

“VMware is a very common cloud software service which is also widely present in private-sector organizations including health care. Although the emergency advisory issued by CISA only applies to government agencies, it is strongly recommended that health care entities and their life-critical and mission-critical third parties implement the provided patches as soon as possible,” John Riggi, national advisor for cybersecurity and risk at the American Hospital Association (AHA) explained in a statement in response to the emergency directive.

“It is clear from the advisory that CISA anticipates immediate and active exploitation of this vulnerability by sophisticated cyber adversaries. These adversaries, which may include hostile nation states, may exploit this vulnerability to gain the ability for remote code execution and broad network access through administrative privileges without the need to authenticate.”

CISA recommended that organizations using the impacted VMware products work quickly to update to the latest version or remove impacted versions from organizational networks. If administrators discover that their systems were compromised, CISA recommended that they immediately isolate systems, collect logs, data, and artifacts, report the incident to CISA, and consider asking for support from a third-party incident response organization.

“Once again, as we see in the CISA advisory and the second multi-agency alert, the bad guys will always take the path of least resistance—if we leave a digital door open through an unpatched vulnerability, they will come in without hesitation,” Riggi noted.