Malicious hackers, some believe to be state-supported, are actively exploiting two unrelated vulnerabilities — both with a severity rating of 9.8 out of a possible 10 — in hopes of infecting sensitive corporate networks with backdoors, botnet software, and others. forms of malware.
The ongoing attacks target unpatched versions of multiple VMware product lines and F5’s BIG-IP software, security researchers said. Both vulnerabilities allow attackers to remotely execute malicious code or commands that run with unlimited root system privileges. The largely uncoordinated exploits appear to be malicious, unlike benign scans that attempt to identify vulnerable servers and quantify their numbers.
First up: VMware
On April 6, VMware disclosed and patched a remote code execution vulnerability tracked as CVE-2022-22954 and a privilege escalation flaw tracked as CVE-2022-22960. According to an advisory published Wednesday by the Cybersecurity and Infrastructure Security Agency, “malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the vulnerabilities revealed in unpatched devices.”
CISA said the actors were likely part of an advanced persistent threat, a term for sophisticated and well-funded hacker groups typically backed by a nation-state. Once the hackers compromise a device, they use their root access to install a web shell known as Dingo J-spy on the networks of at least three organizations.
“According to reliable third-party reporting, threat actors can link these vulnerabilities together. At a compromised organization, on or about April 12, 2022, an unauthenticated actor with network access to the web interface used CVE-2022-22954 to execute any shell command as a VMware user,” the advisory said. Wednesday. “The actor then abused CVE-2022-22960 to escalate the user’s permissions to root. With root access, the actor was able to clear logs, escalate permissions and go laterally to other systems.”
Independent security researcher Troy Mursch said in a direct message that the exploits he has trapped in a honeypot contain payloads for botnet software, web shells and cryptominers. CISA’s advice came on the same day that VMware revealed and patched two new vulnerabilities. One of the vulnerabilities, CVE-2022-22972, also has a severity rating of — you guessed it — 9.8. The other, CVE-2022-22973, gets a 7.8.
Given the exploits already underway for the VMware vulnerabilities that were patched last month, CISA said it “expects that malicious cyber actors will quickly develop an ability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973.” exploit the same affected VMware products.
BIG-IP also under attack
Meanwhile, corporate networks are also being attacked by hackers who exploit CVE-2022-1388, a 9.8-severity unrelated vulnerability found in BIG-IP, a software package from F5. Nine days ago, the company revealed and patched the vulnerability, which hackers can exploit to execute commands run with root system privileges. The magnitude and magnitude of the vulnerability caused surprise and shock in some security circles and presented a high degree of severity.
Within days, exploit code became publicly available, and almost immediately afterward, researchers reported exploit attempts. It was not clear at the time whether blackhats or whitehats were conducting the activity.
In more recent days, however, researchers have picked up thousands of malicious requests showing that a significant portion of the exploits are being used for nefarious purposes. In an email, researchers from security firm Greynoise wrote:
Since the requests related to this exploit require a POST request and result in an unauthenticated command shell on the F5 Big-IP device, we classified actors using this exploit as malicious. We have seen actors use this exploit through anonymity services such as VPNs or TOR exit nodes in addition to well-known internet VPS providers.
We expect actors trying to find vulnerable devices to use non-invasive techniques that don’t involve a POST request or result in a command shell, cataloged in our tag for F5 Big-IP crawlers: https://viz.
greynoise.io/tag/f5-big-ip- creeper. This crawler tag experienced an increase in traffic associated with the release of CVE-2022-1388.
Mursch said the BIG-IP exploits are trying to install the same trio of web shells, malware for performing distributed denial-of-service attacks, and cryptominers seen in the attacks on unpatched VMware machines. For example, the image below shows an attack attempting to install widely recognized DDoS malware.
The following three images show how hackers exploit the vulnerability to run commands that look for encryption keys and other types of sensitive data stored on a compromised server.
Given the threat posed by ransomware and nation-state hacking campaigns, such as those used against SolarWinds and Microsoft customers, the potential damage from these vulnerabilities is significant. Administrators should prioritize investigating these vulnerabilities on their networks and act accordingly. Advice and guidance from CISA, VMware and F5 can be found here,
here, here and here.