CyberWire Daily - CISA Alert AA22-138B – Threat actors chaining unpatched VMware vulnerabilities for full system control. [CISA Cybersecurity Alerts]
Episode Date: May 20, 2022CISA is releasing this cybersecurity advisory to warn organizations that malicious cyber actors are exploiting CVE-2022-22954 and CVE-2022-22960. These vulnerabilities affect versions of VMware produc...ts. Successful exploitation permits malicious actors to trigger a server-side template injection that may result in remote code execution or escalation of privileges to root level access. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released VMware vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. AA22-138B Alert, Technical Details, and Mitigations AA22-138B.stix Emergency Directive 22-03 Mitigate VMware Vulnerabilities VMware Security Advisory VMSA-2022-0011 VMware Security Advisory VMSA-2022-0014 All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. Original release date, May 18, 2022. Last revised, May 19, 2022.
CISA is releasing the Cybersecurity Advisory to warn organizations that malicious cyber actors are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.
These vulnerabilities affect versions of VMware
products. Successful exploitation permits malicious actors to trigger a server-side
template injection that may result in remote code execution or escalation of privileges to
root-level access. VMware released updates for both vulnerabilities on April 6, 2022.
Malicious cyber actors were able to reverse-engineer the updates
to develop an exploit within 48 hours
and began exploiting vulnerabilities in unpatched devices.
Based on this activity, CISA expects cyber actors
to quickly develop exploits for the new VMware vulnerabilities
CVE-2022-22972 and 22973.
In response, CISA has released Emergency Directive 22-03, which requires
emergency action from federal civilian executive branch agencies to immediately implement updates
or remove the affected software from their network. This directive and resources remediation
actions can be found in the show notes. CISA has received information, including indicators
of compromise, about observed
exploitation already underway at multiple large organizations from trusted third parties.
The alert documentation provides indicators of compromise and detection signatures for this
malicious activity. Due to the rapid exploitation of these vulnerabilities, CISA strongly encourages
all organizations with VMware products who did not immediately apply the updates to assume compromise and initiate threat hunting activities.
Detection methods are provided in the alert documentation.
If potential compromise is detected, administrators should apply the incident response procedures included in this alert.
Links to these resources, including alert documentation, indicators of compromise, mitigation actions, and remediation procedures are listed in the show notes. All organizations should report incidents and anomalous activity
to CISA's 24-7 Operations Center at central at cisa.dhs.gov or 888-282-0870 and to the FBI via
your local FBI field office or the FBI's 24-7 PsyWatch at 855-292-3937 or PsyWatch at FBI.gov.
This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency,
and edited and adapted for audio by the Cyber Wire as a public service.
Please visit www.cisa.gov to read the full report,
which may include additional details, links, and illustrations.
A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.