This blog post is a continuation of our Optiv Global Threat Intelligence Center’s (gTIC) Prioritized Software and Services List series. The list provides a high-level introduction to the frequently exploited software, services, and protocols and associated MITRE ATT&CK Tactic mappings. The intent of researching, identifying, and prioritizing potentially high-risk products (based off attractiveness for, and frequency of, targeting by adversaries) is to supplement and support enterprise risk management, incident response preparedness, intelligence collection, and threat research. Follow-up reports will cover more details on adversaries, vulnerabilities, techniques, and real-world incidents (where applicable) pertaining to many of the software and services outlined in the original blog post.

This fifth blog post in the series covers exploitation trends and vulnerabilities in popular VMware products to support the gTIC’s inclusion of VMware products on our Prioritized Software and Services List.

VMware Products and MITRE Technique Mapping

Optiv’s gTIC has identified and categorized VMware as a Critical Enterprise Software vendor. As described in our initial “Prioritized Software and Services List,” products and software that fall under the category of “Critical Enterprise Software” are considered essential to business processes and continuity. These products enable internal and external system communications; web and application servers; and file and data hosting, management, storage, and sharing. Adversaries target these types of software and products to perform various actions, including accessing and exfiltrating data, gaining Initial Access through phishing (with malware or for credential theft), scanning and exploitation of insecure web-facing instances, installing backdoors and web shells to achieve Persistence, enumerating user credentials and privileges, discovering sensitive databases, and mapping out other parts of the network and environment.

VMware software includes some of the most widely used cloud and virtualization solutions in enterprise environments. The elevated risk profile for applicable organizations is based on the ubiquity of VMware products, as well as the severity and notoriety of known vulnerabilities and real-world compromises. While multiple VMware products have a strong presence in corporate environments globally, some are more frequently reported on than others. These include (but are not limited to) VMware vCenter, Workspace ONE, ESXi, vSphere, and Horizon. Independent of report frequency, if your organization owns or uses these or any other popular VMware products, prioritize accordingly.

Reports and observations show that adversaries leverage VMware products to navigate across 10 Tactics mapped to the MITRE ATT&CK framework. Specific MITRE ATT&CK Techniques for each of the observed Tactics include the following:

TA0042 – Resource Development

T1583.005 – Botnet: EnemyBot implemented exploits for VMware Workspace ONE and Identity Manager to identify and infect new devices and assets for use in future denial-of-service attacks.

TA0001 - Initial Access

T1190 – Exploit Public Facing Application: Remote code execution (RCE) vulnerabilities in VMware ESXi continue to remain one of the most favored attack vectors for cyber adversaries to gain a foothold and execute malicious code in victim environments. As recently as mid-2022, the Log4Shell vulnerability (CVE-2021-44228) was reportedly exploited to compromise VMware Horizon servers for Initial Access. Endpoints hosting vulnerable instances of vCenter Server can be exploited for Initial Access and chained alongside other VMware vulnerabilities for a complete system takeover.

TA0002 – Execution

T1203 – Exploitation for Client Execution: Exploitation of vulnerabilities in several VMware products, including Workspace ONE, vRealize, and ESXi, can allow adversaries to run malicious code remotely to install ransomware and cryptocurrency miners, copy files and directories from one location to another, or take full control over a client or system.

TA0004 – Privilege Escalation

T1068 – Exploitation for Privilege Escalation: A local privilege escalation (LPE) vulnerability in VMware vCenter, CVE-2021-22015, was tested and proven to allow a low-privileged user to gain root access to the vCenter host. This can allow access to files and processes to reveal hashed credentials or run malicious code and scripts at root level.

TA0005 – Defense Evasion

T1211 – Exploitation for Defense Evasion: The exploitation of multiple 2022 access control and authentication weakness vulnerabilities in VMware Workspace ONE (CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687) allow threat actors to bypass authentication mechanisms.

T1134.001 –Token Impersonation/Theft: A vulnerability in VMware Workspace ONE, CVE-2022-31869, resulted in the improper handling of session tokens (session fixation vulnerability). This could allow an actor with existing network and environment access to steal and impersonate valid session tokens to bypass authentication in VMware Workspace ONE.

T1562.001 – Disable or Modify Tools: Elevated privileges in clients and consoles like vCenter allowed threat actors to modify rules and controls in local firewalls to gain access to other environments like ESXi without detection.

TA0006 – Credential Access

T1212 – Exploitation for Credential Access: Adversaries can exploit vulnerabilities in endpoints hosting vCenter servers, like CVE-2022-22948, to obtain credentials to other sensitive systems—resulting in a chaining of multiple techniques and vulnerabilities for higher or complete system takeover.

T1555 – Credentials from Password Stores: vCenter has been exploited to acquire credentials from an attached or embedded PostgreSQL server to pivot to other connected VMware systems like ESXi.

TA0007 - Discovery

T1018 – Remote System Discovery: Enumeration of hosts (e.g., ESXi) and virtual machines from management consoles like vCenter allows attackers visibility into connected services and systems for further deployment of backdoors and tools to elevate privileges or pivot to discovered systems.

TA0008 – Lateral Movement

T1210 – Exploitation of Remote Services: Exploitation and access into VMware consoles and clients can allow attackers to gain access to managed or connected hosts, virtual machines, and servers, which allows propagation across multiple systems.

TA0009 – Collection

T1005 – Data from Local System: Vulnerabilities in ESXi have been exploited to transfer files from the compromised ESXi host to and from guest VMs.

TA0040 - Impact

T1486 – Data Encrypted for Impact: Ransomware has been deployed as a secondary and post-intrusion technique following the compromise of multiple VMware services, including VMware Workspace ONE, vSphere, and ESXi.

T1496 – Resource Hijacking: A server-side template injection vulnerability in VMware Workspace ONE (CVE-2022-22954) was previously exploited to deliver ransomware, as well as the GuardMiner cryptocurrency miner.

The following chart shows the most popular and widely covered VMware products—Workspace ONE suite, vSphere, ESXi, vCenter, and VMware Horizon—mapped to various MITRE Tactics. The chart also shows associated threats, including malware, adversaries, and popular vulnerabilities assessed to pose a high risk to organizations or that cyber adversaries have exploited over the last 24 months.

Image

Figure 1: Threat Actors, Malware, and MITRE Tactics Associated with VMware Attacks

Vulnerabilities and Threats

Cyber adversaries are known to exploit vulnerabilities in VMware products to accomplish numerous objectives. These objectives include delivering various types of payloads and implants like backdoors and web shells, deploying ransomware to destroy virtual and backup environments, exploiting systems for Initial Access and discovery of the compromised environment, and establishing a foothold for botnets. Research and observed incidents of compromises involving VMware exploits also validate Optiv gTIC’s long-standing assessment that threat actors will continue to exploit old vulnerabilities (two years and older) in popular software and services due to the continued demonstrable, proven exploit success over time.

Aside from zero-day exploits, research shows that adversaries have scanned for and exploited critical vulnerabilities in VMware ESXi, Horizon, vCenter, vSphere, and VMware Workspace ONE within 48 hours of disclosure, excluding zero-day vulnerabilities. It is therefore highly time sensitive for enterprises to prioritize VMware software assets in an asset inventory and defense-in-depth program. Threat actors known to have exploited VMware products as part of their campaigns include the Lazarus (Democratic Republic of Korea) and APT35 (Iran) state-sponsored groups. Multiple ransomware cartels, including the Conti, AvosLocker, RansomExx, and Hive groups, have also exploited VMware products. This is Likely due to VMware’s ubiquity across enterprise environments, management and access to data and accounts, and internet-facing position—making the critical vulnerabilities in these products a key target for Initial Access, Discovery, and Privilege Escalation.

Remote Code Execution (RCE) (i.e., server-side injection) and authentication bypass vulnerabilities in VMware products are among the most critical types of vulnerabilities. These vulnerabilities allow attackers to execute code, upload arbitrary files, or gain unauthorized privileged and root-level access to sensitive systems. Adversaries can also steal credentials from VMware consoles and connected databases to elevate privileges to manipulate, add, or delete defensive measures, credentials, and files, as well as gain access to sensitive directories and systems.

Vulnerabilities found in ESXi from 2019-2021 (e.g., CVE-2019-5544 and CVE-2020-3992) were observed in exploitation attempts as recently as 2022 and 2023. These attempts include ransomware incidents (e.g., ESXiArgs and RansomExx ransomware groups). Affiliates and operators of multiple ransomware groups are observed to exploit ESXi to deploy post-exploitation tools and encryption malware, including Alphv/BlackCat, AvosLocker, Babuk, REvil/Sodinokibi, and DarkSide/BlackMatter. ESXi vulnerabilities are also favored as attack vectors for Initial Access and post-exploitation operation by APT groups like UNC3886, which has leveraged zero-day vulnerabilities in ESXi (CVE-2023-20867) for Privilege Escalation, Defense Evasion, and Execution. VMware ESXi is Very Likely to remain a target of exploitation by both cybercriminals (including extortion groups) and state-sponsored APT groups in cyber espionage activities.

Application frameworks like Log4j and Spring (owned by VMware) are also attractive targets for adversaries to exploit products running these frameworks. North Korea’s Lazarus APT group exploited the December 2021 Log4j vulnerability (CVE-2021-44228, Log4Shell) in VMware Horizon instances in a campaign observed between February - July 2022 to gain Initial Access in targets in the U.S. and South Korea. Post-exploitation activity included installing various backdoors for Persistence and Command and Control.

In a similar way that exploit kits evolve, botnets can also add exploits and tooling to their multi-module malware capabilities. EnemyBot, a prolific open-source botnet, is reportedly developed and maintained by threat actors capable of adapting to new attack vectors. The adversaries update the malware that can scan for newly disclosed vulnerabilities often and as early as within 24 hours (known as one-day vulnerabilities). In 2022, EnemyBot added exploits and scan capability for multiple vulnerabilities in popular software and services, including an RCE vulnerability in VMware Workspace ONE (CVE-2022-22954).

While not the focus of this blog post, Optiv’s gTIC also recognizes other VMware products that threat actors are Likely to exploit. While we will cover remote management software in a separate report, it is evident that products like VMware SaltStack are popular attack vectors for cyber adversaries.

The graphics below illustrate Optiv gTIC’s Threat Actor Metric™ calculated for selected cyber threat actors known to leverage VMware vCenter, Workspace ONE, ESXi, and Horizon as part of their attacks (see Appendix: References for an explanation of the Threat Actor Metric^™).

Image

Figure 2: Threat Actor Metric Score for AvosLocker Ransomware
© 2023. Optiv Security Inc. All Rights Reserved.

Image

Figure 3: Threat Actor Metric Score for Alphv Ransomware
© 2023. Optiv Security Inc. All Rights Reserved.

Image

Figure 4: Threat Actor Metric for Lazarus Group
© 2023. Optiv Security Inc. All Rights Reserved.

Image

Figure 5: Threat Actor Metric for APT35
© 2023. Optiv Security Inc. All Rights Reserved.

Image

Figure 6: Threat Actor Metric for UNC3886
© 2023. Optiv Security Inc. All Rights Reserved.

Appendix

References
¹MITRE ATT&CK^® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. More information about MITRE ATT&CK^® can be found at attack.mitre.org. All information about MITRE ATT&CK belongs to The MITRE Corporation subject to the following copyright: ^© 2021 The MITRE Corporation. MITRE ATT&CK^® is licensed under the Terms of Use located at https://attack.mitre.org/resources/terms-of-use/".

Optiv Threat Actor Metric^™ – The Optiv Threat Actor Metric^™ was developed by Optiv’s gTIC and is a multi-faceted, qualitative approach to determine a cyber adversary’s or campaign’s potential threat to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions and is scored out of a total possible of 100. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. It is similar in function as to the United States Department of Defense’s CARVER targeting scale.

Link charts and graphs in this report were created by Optiv's gTIC leveraging the ThreatQuotient^® Investigations platform.

In addition to Optiv’s own Enterprise Incident Management team’s incident response engagements and analysis and other sensitive sources, the following references provided additional information for this blog post:

Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems | CISA

ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1) | VMware Security Blog

In Before The Lock: ESXi | Recorded Future

Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices | AT&T

VMware ESXi Servers: A Major Attack Vector for Ransomware | Forescout

CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter | Pentera

VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors | Mandiant

vScalation (CVE-2021-22015)- Local Privilege Escalation in VMware vCenter | Pentera

Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability

VMware Security Advisory for CVE-2022-31685

VMSA-2022-0011: Questions & Answers

Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped) | ASEC

Lazarus and the tale of three RATs | Talos Intelligence

Analytical Comments, Statements, and Best Practices

Most Likely Course of Action (MLCOA) – The expected and probable tactics, techniques, and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.

Most Dangerous Course of Action (MDCOA) – Tactics, techniques, or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.

Words of Estimated Probability – Optiv’s gTIC employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, the gTIC leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:

Confidence statements, as defined by the gTIC, apply to reliability and relevance of information reported and are as follows:

Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.