The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: vmware

New Malware Families Found Targeting VMware ESXi Hypervisors

New Malware Families Found Targeting VMware ESXi Hypervisors

September 30, 2022Ravie Lakshmanan
Threat actors have been found deploying never-before-seen post-compromise implants in VMware's virtualization software to seize control of infected systems and evade detection. Google's Mandiant threat intelligence division referred to it as a "novel malware ecosystem" that impacts VMware ESXi, Linux vCenter servers, and Windows virtual machines, allowing attackers to maintain persistent access to the  hypervisor  as well as execute arbitrary commands. The  hyperjacking attacks , per the cybersecurity vendor, involved the use of malicious vSphere Installation Bundles ( VIBs ) to sneak in two implants, dubbed VIRTUALPITA and VIRTUALPIE, on the ESXi hypervisors. "It is important to highlight that this is not an external remote code execution vulnerability; the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware," Mandiant researchers Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore said in an exhaus
VMware Releases Patches for Several New Flaws Affecting Multiple Products

VMware Releases Patches for Several New Flaws Affecting Multiple Products

August 03, 2022Ravie Lakshmanan
Virtualization services provider VMware on Tuesday shipped updates to  address 10 security flaws  affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions. The issues, tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8), impact VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. The most severe of the flaws is CVE-2022-31656 (CVSS score: 9.8), an authentication bypass vulnerability affecting local domain users that could be leveraged by a bad actor with network access to obtain administrative rights. Also resolved by VMware are three remote code execution vulnerabilities (CVE-2022-31658, CVE-2022-31659, and CVE-2022-31665) related to JDBC and SQL injection that could be weaponized by an adversary with administrator and network access. Elsewhere, it has also remediated a reflec
LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload

LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload

August 02, 2022Ravie Lakshmanan
A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.  According to a report published by SentinelOne last week, the incident occurred after obtaining initial access via the  Log4Shell vulnerability  against an unpatched VMware Horizon Server. "Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike," researchers Julio Dantas, James Haughom, and Julien Reisdorffer  said . LockBit 3.0 (aka LockBit Black), which comes with the tagline "Make Ransomware Great Again!," is the  next iteration  of the prolific  LockBit RaaS family  that emerged in June 2022 to iron out  critical weaknesses  discovered in its predecessor. It's notable for insti
VMware Releases Patches for New Vulnerabilities Affecting Multiple Products

VMware Releases Patches for New Vulnerabilities Affecting Multiple Products

May 19, 2022Ravie Lakshmanan
VMware has issued patches to contain  two security flaws  impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior authentication. CVE-2022-22973 (CVSS score: 7.8), the other bug, is a case of local privilege escalation that could enable an attacker with local access to elevate privileges to the "root" user on vulnerable virtual appliances. "It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments," VMware  said . The disclosure follows a  warning  from the U.S. Cybersecurity and Infrastructure Agency (CISA) that advanced persistent threat (APT) groups are exploiting CVE-2022-22954 and CVE-2022-22960 — two other VMware flaws t
Critical VMware Cloud Director Bug Could Let Hackers Takeover Entire Cloud Infrastructure

Critical VMware Cloud Director Bug Could Let Hackers Takeover Entire Cloud Infrastructure

April 15, 2022Ravie Lakshmanan
Cloud computing and virtualization technology firm VMWare on Thursday rolled out an update to resolve a critical security flaw in its Cloud Director product that could be weaponized to launch remote code execution attacks. The issue, assigned the identifier  CVE-2022-22966 , has a CVSS score of 9.1 out of a maximum of 10. VMware credited security researcher Jari Jääskelä with reporting the flaw. "An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server," VMware  said  in an advisory. VMware Cloud Director, formerly known as vCloud Director, is used by many well-known cloud providers to operate and manage their cloud infrastructures and gain visibility into datacenters across sites and geographies. The vulnerability could, in other words, end up allowing attackers to gain access to sensitive data and take over private clou
Critical VMware Workspace ONE Access Flaw Under Active Exploitation in the Wild

Critical VMware Workspace ONE Access Flaw Under Active Exploitation in the Wild

April 14, 2022Ravie Lakshmanan
A week after VMware released patches to remediate eight security vulnerabilities in VMware Workspace ONE Access, threat actors have begun to actively exploit one of the critical flaws in the wild. Tracked as  CVE-2022-22954 , the security shortcoming relates to a remote code execution vulnerability that stems from server-side template injection in VMware Workspace ONE Access and Identity Manager. The bug is rated 9.8 in severity. "A malicious actor with network access can trigger a server-side  template injection  that may result in remote code execution," the company  noted  in its advisory. The virtualization services provider has since revised its bulletin to warn customers of confirmed exploitation of CVE-2022-22954 occurring in the wild. Cybersecurity firm Bad Packets also  corroborated  that it detected attempts to weaponize the vulnerability. Source:  Bad Packets It's worth noting that the patches shipped last week address seven more vulnerabilities in VMwar
VMware Releases Critical Patches for New Vulnerabilities Affecting Multiple Products

VMware Releases Critical Patches for New Vulnerabilities Affecting Multiple Products

April 07, 2022Ravie Lakshmanan
VMware has released security updates to patch eight vulnerabilities spanning its products, some of which could be exploited to launch remote code execution attacks. Tracked from  CVE-2022-22954 to CVE-2022-22961  (CVSS scores: 5.3 - 9.8), the issues impact VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Five of the eight bugs are rated Critical, two are rated Important, and one is rated Moderate in severity. Credited with reporting all the vulnerabilities is Steven Seeley of Qihoo 360 Vulnerability Research Institute. The list of flaws is below - CVE-2022-22954  (CVSS score: 9.8) - Server-side template injection remote code execution vulnerability affecting VMware Workspace ONE Access and Identity Manager CVE-2022-22955 & CVE-2022-22956  (CVSS scores: 9.8) - OAuth2 ACS authentication bypass vulnerabilities in VMware Workspace ONE Access CVE-2022-22957 & CVE-2022-22958  (CVS
VMware Issues Patches for Critical Flaws Affecting Carbon Black App Control

VMware Issues Patches for Critical Flaws Affecting Carbon Black App Control

March 24, 2022Ravie Lakshmanan
VMware on Wednesday released software updates to plug two critical security vulnerabilities affecting its Carbon Black App Control platform that could be abused by a malicious actor to execute arbitrary code on affected installations in Windows systems. Tracked as  CVE-2022-22951 and CVE-2022-22952 , both the flaws are rated 9.1 out of a maximum of 10 on the CVSS vulnerability scoring system. Credited with reporting the two issues is security researcher Jari Jääskelä. That said, successful exploitation of the vulnerabilities banks on the prerequisite that the attacker is already logged in as an administrator or a highly privileged user. VMware Carbon Black App Control is an  application allow listing solution  that's used to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates. CVE-2022-22951 has been described as a command injection vulnerability that could enable an authenticated, high privileged actor w
VMware Issues Security Patches for High-Severity Flaws Affecting Multiple Products

VMware Issues Security Patches for High-Severity Flaws Affecting Multiple Products

February 16, 2022Ravie Lakshmanan
VMware on Tuesday patched several  high-severity   vulnerabilities  impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service (DoS) condition. As of writing, there's no evidence that any of the weaknesses are exploited in the wild. The list of six flaws is as follows – CVE-2021-22040  (CVSS score: 8.4) - Use-after-free vulnerability in XHCI USB controller CVE-2021-22041  (CVSS score: 8.4) - Double-fetch vulnerability in UHCI USB controller CVE-2021-22042  (CVSS score: 8.2) - ESXi settingsd unauthorized access vulnerability CVE-2021-22043  (CVSS score: 8.2) - ESXi settingsd TOCTOU vulnerability CVE-2021-22050  (CVSS score: 5.3) - ESXi slow HTTP POST denial-of-service vulnerability CVE-2022-22945  (CVSS score: 8.8) - CLI shell injection vulnerability in the NSX Edge appliance component Successful exploitation of the flaws could allow a malicious actor with local ad
Initial Access Broker Involved in Log4Shell Attacks Against VMware Horizon Servers

Initial Access Broker Involved in Log4Shell Attacks Against VMware Horizon Servers

January 26, 2022Ravie Lakshmanan
An initial access broker group tracked as Prophet Spider has been linked to a set of malicious activities that exploits the Log4Shell vulnerability in unpatched VMware Horizon Servers. According to new research published by BlackBerry Research & Intelligence and Incident Response (IR) teams today, the cybercrime actor has been opportunistically weaponizing the shortcoming to download a second-stage payload onto the victimized systems. The payloads observed include cryptocurrency miners, Cobalt Strike Beacons, and web shells, corroborating a previous advisory from the U.K. National Health Service (NHS) that  sounded the alarm  on active exploitation of the vulnerabilities in VMware Horizon servers to drop malicious web shells and establish persistence on affected networks for follow-on attacks. Log4Shell  is a moniker used to refer to an exploit affecting the popular Apache Log4j library that results in remote code execution by logging a specially crafted string. Since public
NHS Warns of Hackers Targeting Log4j Flaws in VMware Horizon

NHS Warns of Hackers Targeting Log4j Flaws in VMware Horizon

January 08, 2022Ravie Lakshmanan
The digital security team at the U.K. National Health Service (NHS) has raised the alarm on active exploitation of Log4Shell vulnerabilities in unpatched  VMware Horizon  servers by an unknown threat actor to drop malicious web shells and establish persistence on affected networks for follow-on attacks. "The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure," the non-departmental public body  said  in an alert. "Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service." The web shell, once deployed, can serve as a conduit to carry out a multitude of post-exploitation activities such as deploying additional malicious software, data exfiltration, or deployment of r
VMware Patches Important Bug Affecting ESXi, Workstation and Fusion Products

VMware Patches Important Bug Affecting ESXi, Workstation and Fusion Products

January 06, 2022Ravie Lakshmanan
VMWare has shipped updates to Workstation, Fusion, and ESXi products to address an "important" security vulnerability that could be weaponized by a threat actor to take control of affected systems. The issue relates to a heap-overflow vulnerability — tracked as  CVE-2021-22045  (CVSS score: 7.7) — that, if successfully exploited, results in the execution of arbitrary code. The company credited Jaanus Kääp, a security researcher with Clarified Security, for reporting the flaw. "A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine," VMware  said  in an advisory published on January 4. "Successful exploitation requires [a] CD image to be attached to the virtual machine." The error affects ESXi versions 6.5, 6.7, and 7.0; Workstation versions 16.x; and Fusion versions 12.x, with the company yet to
VMware Warns of Newly Discovered Vulnerabilities in vSphere Web Client

VMware Warns of Newly Discovered Vulnerabilities in vSphere Web Client

November 25, 2021Ravie Lakshmanan
VMware has shipped updates to address two security vulnerabilities in vCenter Server and Cloud Foundation that could be abused by a remote attacker to gain access to sensitive information. The more severe of the issues concerns an arbitrary file read vulnerability in the vSphere Web Client. Tracked as CVE-2021-21980, the bug has been rated 7.5 out of a maximum of 10 on the CVSS scoring system, and impacts vCenter Server versions 6.5 and 6.7. "A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information," the company  noted  in an advisory published on November 23, crediting ch0wn of Orz lab for reporting the flaw. The second shortcoming remediated by VMware relates to an  SSRF  (Server-Side Request Forgery) vulnerability in the Virtual storage area network (vSAN) Web Client plug-in that could allow a malicious actor with network access to port 443 on vCenter Server to exploit the flaw by accessing an i
VMware Warns of Critical File Upload Vulnerability Affecting vCenter Server

VMware Warns of Critical File Upload Vulnerability Affecting vCenter Server

September 22, 2021Ravie Lakshmanan
VMware on Tuesday published a new bulletin warning of as many as 19 vulnerabilities in vCenter Server and Cloud Foundation appliances that a remote attacker could exploit to take control of an affected system. The most urgent among them is an arbitrary file upload vulnerability in the Analytics service (CVE-2021-22005) that impacts vCenter Server 6.7 and 7.0 deployments. "A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file," the company  noted ,  adding  "this vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server." Although VMware has published  workarounds  for the flaw, the company cautioned that they are "meant to be a temporary solution until updates […] can be deployed." The complete list of flaws patched by the virtualization services
VMware Issues Patches to Fix New Flaws Affecting Multiple Products

VMware Issues Patches to Fix New Flaws Affecting Multiple Products

August 26, 2021Ravie Lakshmanan
VMware on Wednesday shipped  security updates  to address vulnerabilities in multiple products that could be potentially exploited by an attacker to take control of an affected system. The six security weaknesses (from CVE-2021-22022 through CVE-2021-22027, CVSS scores: 4.4 - 8.6) affect VMware vRealize Operations (prior to version 8.5.0), VMware Cloud Foundation (versions 3.x and 4.x), and vRealize Suite Lifecycle Manager (version 8.x), as listed below - CVE-2021-22022  (CVSS score: 4.4) - Arbitrary file read vulnerability in vRealize Operations Manager API, leading to information disclosure CVE-2021-22023  (CVSS score: 6.6) - Insecure direct object reference vulnerability in vRealize Operations Manager API, enabling an attacker with administrative access to alter other users' information and seize control of an account CVE-2021-22024  (CVSS score: 7.5) - Arbitrary log-file read vulnerability in vRealize Operations Manager API, resulting in sensitive information disclosure
VMware Issues Patches to Fix Critical Bugs Affecting Multiple Products

VMware Issues Patches to Fix Critical Bugs Affecting Multiple Products

August 06, 2021Ravie Lakshmanan
VMware has released security updates for multiple products to address a critical vulnerability that could be exploited to gain access to confidential information. Tracked as  CVE-2021-22002  (CVSS score: 8.6) and  CVE-2021-22003  (CVSS score: 3.7), the flaws affect VMware Workspace One Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. CVE-2021-22002 concerns an issue with how VMware Workspace One Access and Identity Manager allow the "/cfg" web app and diagnostic endpoints to be accessed via port 443 by tampering with a host header, resulting in a server-side request. "A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication," the company  said  in its advisory. Suleyman Bayir of Trendyol has been credited with
Critical Auth Bypass Bug Affects VMware Carbon Black App Control

Critical Auth Bypass Bug Affects VMware Carbon Black App Control

June 24, 2021Ravie Lakshmanan
VMware has rolled out security updates to resolve a critical flaw affecting Carbon Black App Control that could be exploited to bypass authentication and take control of vulnerable systems. The vulnerability, identified as CVE-2021-21998, is rated 9.4 out of 10 in severity by the industry-standard Common Vulnerability Scoring System (CVSS) and affects App Control (AppC) versions 8.0.x, 8.1.x, 8.5.x, and 8.6.x. Carbon Black App Control  is a security solution designed to lock down critical systems and servers to prevent unauthorized changes in the face of cyber-attacks and ensure compliance with regulatory mandates such as PCI-DSS, HIPAA, GDPR, SOX, FISMA, and NERC. "A malicious actor with network access to the VMware Carbon Black App Control management server might be able to obtain administrative access to the product without the need to authenticate," the California-based cloud computing and virtualization technology company  said  in an advisory. CVE-2021-21998 is th
ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack

ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack

June 05, 2021Ravie Lakshmanan
Malicious actors are actively mass scanning the internet for vulnerable VMware vCenter servers that are unpatched against a critical remote code execution flaw, which the company addressed late last month. The ongoing activity was detected by Bad Packets on June 3 and corroborated  yesterday  by security researcher Kevin Beaumont. "Mass scanning activity detected from 104.40.252.159 checking for VMware vSphere hosts vulnerable to remote code execution,"  tweeted  Troy Mursch, chief research officer at Bad Packets. The development follows the publication of a proof-of-concept (PoC) RCE exploit code targeting the VMware vCenter bug. Tracked as  CVE-2021-21985  (CVSS score 9.8), the issue is a consequence of a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which could be abused by an attacker to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server. Although the flaw was rectified by VMwar
Necro Python Malware Upgrades With New Exploits and Crypto Mining Capabilities

Necro Python Malware Upgrades With New Exploits and Crypto Mining Capabilities

June 03, 2021Ravie Lakshmanan
New upgrades have been made to a Python-based "self-replicating, polymorphic bot" called Necro in what's seen as an attempt to improve its chances of infecting vulnerable systems and evading detection. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command-and-control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," researchers from Cisco Talos  said  in a deep-dive published today. Said to be in development as far back as 2015,  Necro  (aka N3Cr0m0rPh) targets both Linux and Windows devices, with heightened activity observed at the start of the year as part of a malware campaign dubbed " FreakOut " that was found exploiting  vulnerabilities  in network-attached storage (
Critical RCE Vulnerability Found in VMware vCenter Server — Patch Now!

Critical RCE Vulnerability Found in VMware vCenter Server — Patch Now!

May 26, 2021Ravie Lakshmanan
VMware has rolled out patches to address a critical security vulnerability in vCenter Server that could be leveraged by an adversary to execute arbitrary code on the server. Tracked as CVE-2021-21985 (CVSS score 9.8), the issue stems from a lack of input validation in the Virtual SAN ( vSAN ) Health Check plug-in, which is enabled by default in the vCenter Server. "A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server," VMware  said  in its advisory. VMware vCenter Server is a server management utility that's used to control virtual machines, ESXi hosts, and other dependent components from a single centralized location. The flaw affects vCenter Server versions 6.5, 6.7, and 7.0 and Cloud Foundation versions 3.x and 4.x. VMware credited Ricter Z of 360 Noah Lab for reporting the vulnerability. The patch release also rectifies an authenticati
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.