SOCRadar® Cyber Intelligence Inc. | New Botnet Discovered Exploiting Critical VMware Vulnerability


May 18, 2022
3 Mins Read

New Botnet Discovered Exploiting Critical VMware Vulnerability

The critical VMware vulnerability with code CVE-2022-22954 was discovered to be used by threat actors for remote code execution in botnet and Log4Shell-driven attacks. Although VMware has announced that the vulnerability has been fixed, cyber-attacks continue to infect devices via botnets and create a backdoor with Log4Shell.

Two VMware Vulnerabilities Exploited

Critical VMware vulnerabilities provide a conducive environment for botnet attacks.
Critical VMware vulnerabilities provide a conducive environment for botnet attacks.

One of the vulnerabilities that threat actors use in attacks is CVE-2022-22954 affecting VMware Workspace One Access and Identity Manager with a CVSS score of 9.8. Workspace ONE is used to deliver enterprise applications to devices. Identity Manager is an authentication tool for the platform. The vulnerability that affects these two critical tools allows attackers with network access to RCE.

Another flaw exploited by threat actors is the CVE-2022-22960 privilege escalation vulnerability with a CVSS score of 7.8. This affects Workspace ONE Access, Identity Manager, and vRealize Automation.

Cybersecurity experts state that by combining the two vulnerabilities, threat actors can achieve an ideal exploitation vector.

SOCRadar can assist vulnerability teams in maintaining an accurate inventory of public-facing assets. The platform has extra features to constantly scan these assets and detect new security flaws to complete the entire life span of a vulnerability threat.

Mostly Using PoC Published on GitHub

In the short analysis published by Barracuda, it is stated that exploitation attempts were observed immediately after the proof-of-concept was published on GitHub. Although most of these initiatives are seen as “research,” it can be said that they are preliminary for future cyber attacks.

In actual exploit attempts, IPs and EnemyBot instances have been detected that host Mirai DDoS botnet malware. Log4Shell exploit attempts are also notable.

Security researchers underline that the best way to protect against attacks is to apply patches. They also state that additional defense can be provided with web application firewalls.

Sysrv-k Botnet Infects Windows and Linux Systems

Microsoft has announced that it has discovered a botnet that distributes cryptocurrency miners on Windows and Linux systems. According to the flood on the Microsoft Security Intelligence Twitter account, the new botnet is a new variant of the notorious Sysrv.

According to the tweet thread, the botnet performs a web scan to identify vulnerable servers, looking for security vulnerabilities such as remote code execution and random file downloads. The botnet is thought to use the RCE vulnerability, which mostly affects Spring Cloud Gateway and Oracle Communications Cloud-Native products with the code CVE-2022-22947.

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Get free access.