On May 18, 2022, CISA issued a notice warning organizations of potential exploitation attempts of known vulnerabilities in the VMware products tracked as CVE-2022-22954 and CVE-2022-22960. Once exploited, the revealed flaws give green light to threat actors to perform malicious template injection on the server end. More specifically, the exploitation of the CVE-2022-22954 can lead to remote code execution, while the CVE-2022-22960 flaw can be weaponized for privilege escalation. What doubles the risks is the fact that the newly discovered VMware bugs can be a source of exploit chain attacks.

Detect CVE-2022-22954 and CVE-2022-22960 Exploitation Attempts

To detect exploitation patterns related to the CVE-2022-22954 VMware flaw, SOC Prime’s Detection as Code platform offers a batch of dedicated Sigma rules:

Sigma rules to detect CVE-2022-22954 exploitation attempts

Also, cybersecurity professionals can access the newly released Sigma rule for CVE-2022-22960 detection crafted by our keen Threat Bounty developer Sittikorn Sangrattanapitak:

Possible VMware Privilege Escalation To Root Account [CVE-2022-22960] (via process creation)

To gain access to these curated Sigma rules, make sure to log in or sign for the platform for the most streamlined detection experience. All detections are aligned with the MITRE ATT&CK® framework to provide relevant threat visibility and are available for the majority of SIEM, EDR, and XDR solutions supported by SOC Prime’s platform. 

To detect exploitation attempts of multiple known vulnerabilities impacting VMware products, explore the extensive collection of detection algorithms available in SOC Prime’s platform. Click the View Detections button to reach the dedicated rule kit. Cybersecurity experts striving to make a difference and enrich the detection content library with their own contributions are prompted to join the Threat Bounty Program and get a chance to turn their professional skills into recurring financial benefits.

View Detections Join Threat Bounty

VMware Vulnerabilities Analysis

VMware released updates for both CVE-2022-22954 and CVE-2022-22960 one month ago, which didn’t prevent threat actors from rapidly exploiting the revealed flaws in unpatched VMware instances within 48 hours following the launch of related updates. According to CISA’s BOD 22-01, federal bodies were prompted to take immediate action to urgently implement the updates for the above-mentioned vulnerabilities to minimize security risks. 

According to the information from the latest Cybersecurity Advisory, CVE-2022-22954 and CVE-2022-22960 may be chained together for gaining full system control. One of the victims reported that adversaries first exploited CVE-2022-22954 to run an arbitrary shell command and then leveraged the second VMware flaw in the exploit chain for privilege escalation. By gaining root access, attackers were free to wipe logs, elevate permissions, and apply lateral movement to further gain control over the compromised system. In addition, cybersecurity researchers observed another incident with the abuse of CVE-2022-22954 in the way of further spreading a malicious Dingo J-spy webshell.

Cybersecurity researchers earlier observed a couple of other critical vulnerabilities revealed in the VMware vCenter. In February 2021, a remote code execution flaw tracked as CVE-2021-21972 with the CVSS score of 9.8 was identified in the vCenter Server plugin. Once disclosed, this critical vulnerability was reported to lead to mass scanning of compromised instances with the PoC available on GitHub the next day after its discovery. 

Later in 2021, another critical vulnerability identified as CVE-2021-22005 was identified in the VMware vCenter Server. The flaw was publicly exploited in the wild and due to exposing a wide range of critical infrastructures to high risks, CISA released a dedicated advisory listing the corresponding mitigation measures. 

As for the mitigation measures in response to CVE-2022-22954 and CVE-2022-22960 exploitation, the affected VMware products should be promptly updated to the latest version. Also, to minimize the risks of related exploit chain attacks, organizations are recommended to remove the affected software versions from their systems.  

Progressive organizations looking for ways to stay ahead of the curve can make the most of SOC Prime’s solution aimed to help teams maximize value from their security investments. By joining SOC Prime’s Detection as Code platform, security experts can see in action how they can benefit from accelerated cyber defense capabilities.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts