Security researchers at Barracuda discovered series of attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960, both reported last month.
PoC exploitation that available in GitHub recently announced VMware bugs is being abused by hackers in the wild.
VMware published an advisory on April 6, 2022, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954 with a CVSS score of 9.8, the bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.
The other bug tracked as CVE-2022-22960 with CVSS score of 7.8, is local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. The bug arises due to improper permission in support scripts allowing an attacker with local access to gain root privileges.
The Barracuda researchers noted that the previous flaws are chained together for a potential full exploitation vector.
After the bug was disclosed by VMware in April, a PoC was released on Github. After the release of PoC, the spike was seen in using the exploit
Researchers also revealed that most of the exploit attempts are primarily from botnet operators, the IPs discovered still seem to host variants of Mirai DDoS botnet malware, along with some Log4Shell exploits and low levels of EnemyBot attempts.
More than 76% of originated attack is from the U.S. With most of them coming from data centers and cloud providers. The researcher added that there is a spike in IP addresses from the UK and Russia and about 6% of the attacks emanate from these locations.
The only way to escape from the vulnerability exploit is to apply patches as soon as possible. Especially if the system is of internet facing then WAF has to be implemented and defense in depth strategy has to be applied convincingly.