Threat Research

Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control | CISA

Securonix

CISA warns that malicious actors linked to APT activity are exploiting CVE-2022-22954 and CVE-2022-22960 in VMware Workspace ONE Access and related products to achieve remote code execution and root-level access, chaining vulnerabilities for full system control. The operation involved two threat actors (TA1 and TA2) dropping post-exploitation web shells (Dingo J-spy, Godzilla), exfiltrating data, establishing persistence, and using a reverse SOCKS proxy, prompting emergency directives and incident response actions.

Keypoints

  • Exploits CVE-2022-22954 (server-side template injection leading to RCE) and CVE-2022-22960 (root privilege escalation) in VMware products.
  • Affected products include VMware Workspace ONE Access, vIDM, vRA, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
  • Attackers reportedly reverse engineered vendor updates and began exploitation within 48 hours of disclosure; CA/ED actions followed (CISA Known Exploited Vulnerabilities, ED 22-03).
  • Threat actors dropped post-exploitation tools, including the Dingo J-spy webshell and other web-based shells like Godzilla; a reverse SOCKS proxy was deployed for tunneling.
  • TA1 exfiltrated data via a tar ball, modified logs, and wiped evidence; TA2 deployed multiple web shells and conducted broad reconnaissance, including OS credential discovery.
  • MITRE-aligned TTPs include exploitation, web shells, privilege escalation, data collection, and C2 via web protocols and proxy channels; indicators and IOCs provided for detection.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Used to trigger a server-side template injection that may result in RCE. ‘trigger a server-side template injection that may result in remote code execution (RCE)’.
  • [T1105] Ingress Tool Transfer – Downloaded a malicious shell script from the server to exfiltrate data. ‘download [T1105] a malicious shell script’.
  • [T1071.001] Application Layer Protocol: Web Protocols – Used GET requests to exploit CVE-2022-22954 for RCE and to upload web shells. ‘many GET requests to the server exploiting—or attempting to exploit—CVE 2022-22954 to obtain RCE, upload binaries, and upload webshells’.
  • [T1068] Exploitation for Privilege Escalation – Escalated privileges to root via SUDO. ‘to run the shell script with root privileges ([T1068], [TA0004]).’
  • [T1560] Archive Collected Data – Data exfiltration via a tar ball. ‘the tar ball was located in a VMware Workspace ONE Access directory’.
  • [T1070] Indicator Removal on Host – Deleted logs and files to erase traces. ‘deleting files [T1070]’.
  • [T1505.003] Web Shell – Dropped Dingo J-spy webshell for post-exploitation persistence. ‘threat actors dropping the Dingo J-spy webshell’.
  • [T1090] Proxy – Deployed a reverse SOCKS proxy for tunneling. ‘reverse SOCKS proxy’.
  • [T1003.008] OS Credential Dumping – Accessed /etc/passwd and /etc/shadow files. ‘view /etc/passwd and /etc/shadow password files’.
  • [T1222.002] Linux File Permissions Modification – chmod on hidden temp file to facilitate persistence. ‘CHMOD command to change the permissions of .tmp12865xax’.
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – TLS/SSL-based C2 communications observed in revsocks earlier activity. ‘TLS/SSL support and connects to’ a domain.
  • [T1588.001] Obtain Capabilities: Malware – Acquisition of malicious capabilities (malware) for operational use.
  • [T1059] Command and Scripting Interpreter – Execution of Unix shell commands during the intrusion. ‘thousands of Unix commands’.
  • [T1059.004] Unix Shell – Direct use of Unix shell to run commands and access files. ‘Unix shell’.

Indicators of Compromise

  • [IP Addresses] Context – 84.38.133.149, 20.232.97.189, and other observed IPs used for C2, download, and reverse connections.
  • [IP Addresses] Context – 172.94.89.112, 100.14.239.83, and additional addresses linked to reverse shells and data transfer.
  • [Domains] Context – https://149.248.35.200.sslip.io, sslip.io, https://github.com/kost/revsocks/releases/download.
  • [MD5 Hashes] Context – 5b0bfda04a1e0d8dcb02556dc4e56e6a, 4cd8366345ad4068feca4d417738b4bd.
  • [Files] Context – horizon.jsp, jquery.jsp, app.jsp, and other webshell-related files observed on infected hosts.

Read more: https://www.cisa.gov/uscert/ncas/alerts/aa22-138b