AA22-138B Threat Actors Chaining VMware Vulnerabilities for Full System Control
Indicators
This STIX file provides updated list of indicators of compromise (IOCs) associated with malicious activity reported in CISA Cybersecurity Advisory (CSA), AA22-138B, pertaining to Threat Actors Chaining VMware Vulnerabilities for Full System Control.
The original CSA AA22-138B was published on May 18, 2022.
On June 2, 2022, CSA AA22-138B has been updated with additional indicators of compromise (IOCs), detection signatures, as well as tactics, techniques, and procedures (TTPs) obtained from trusted third parties.
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this CSA to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE 2022-22960 separately and in combination.
VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively.
Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products.
For more information about this activity, to include detection and mitigation recommendations, please see updated Advisory "AA22-138B Threat Actors Chaining VMware Vulnerabilities for Full System Control."
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2022-06-02T00:00:00Z
Malicious FQDN Indicator
149.248.35.200.sslip.io
Malicious URL Indicator
URL Watchlist
https://149.248.35.200.sslip.io
Malicious URL Indicator
URL Watchlist
http://84.38.133.149/img/icon.gif
Malicious IPv4 Indicator
IP Watchlist
83.84.74.155
Malicious IPv4 Indicator
IP Watchlist
149.248.35.200
Malicious IPv4 Indicator
IP Watchlist
212.227.198.95
Malicious IPv4 Indicator
IP Watchlist
85.203.36.66
Malicious IPv4 Indicator
IP Watchlist
8.45.41.114
Malicious IPv4 Indicator
IP Watchlist
194.31.98.141
Malicious IPv4 Indicator
IP Watchlist
192.241.67.12
Malicious IPv4 Indicator
IP Watchlist
45.72.85.172
Malicious IPv4 Indicator
IP Watchlist
209.127.110.126
Malicious IPv4 Indicator
IP Watchlist
191.102.179.197
Malicious IPv4 Indicator
IP Watchlist
115.167.53.141
Malicious IPv4 Indicator
IP Watchlist
45.72.112.245
Malicious IPv4 Indicator
IP Watchlist
100.14.239.83
Malicious IPv4 Indicator
IP Watchlist
172.94.89.112
Malicious IPv4 Indicator
IP Watchlist
84.38.133.149
Malicious URL Indicator
URL Watchlist
http://84.38.133.149/img/icon1.gif
Malicious IPv4 Indicator
IP Watchlist
51.79.171.53
Malicious IPv4 Indicator
IP Watchlist
186.233.187.245
Malicious URL Indicator
URL Watchlist
https://20.232.97.189/up/80b6ae2cea.sh
Malicious File Indicator
Benign
revsocks_linux_amd64
MD5
DC88C5FE715B5F706F9FB92547DA948A
SHA1
8A85C8F2678B5DFF9101F24245D52A30E32EE7C7
SHA256
114160C8F950AB5C620187D0962B66FACDD21156D3161DB08164AF3D309B4DFE
Malicious File Indicator
File Hash Watchlist
upload.jsp
MD5
5B0BFDA04A1E0D8DCB02556DC4E56E6A
SHA1
3E8F0D0FAEB4C1AEA285263CC7B97A3F926A547F
SHA256
8E7DEE3B3CFDC8FBEFB86C70AC6D49F1908CF75CAFC772B6ADFAE69EEC1733A3
Malicious File Indicator
File Hash Watchlist
MD5
F8FF5C72E8FFA2112B01802113148BD1
Malicious File Indicator
File Hash Watchlist
MD5
4CD8366345AD4068FECA4D417738B4BD
Malicious IPv4 Indicator
IP Watchlist
20.232.97.189
Malicious IPv4 Indicator
IP Watchlist
160.20.145.225
Malicious IPv4 Indicator
IP Watchlist
136.243.75.136
Malicious FQDN Indicator
sslip.io
T1588.001 - Obtain Capabilities: Malware - Resource Development
T1059 - Command and Scripting Interpreter - Execution
T1059.004 - Command and Scripting Interpreter: Unix Shell - Execution
T1203 - Exploitation for Client Execution - Execution
T1505.003 - Server Software Component: Web Shell - Persistence
T1068 - Exploitation for Privilege Escalation - Privilege Escalation
T1070 - Indicator Removal on Host - Defense Evasion
T1222.002 - File and Dir Perms Mod: Linux and Mac File and Dir Perms Mod - Defense Evasion
T1003.008 - OS Credential Dumping: /etc/passwd and /etc/shadow - Credential Access
T1105 - Remote File Copy - Lateral Movement
T1560 - Archive Collected Data - Collection
T1071.001 - Application Layer Protocol: Web Protocols - Command and Control
T1090 - Proxy - Command and Control
T1573.001 - Encrypted Channel: Symmetric Cryptography - Command and Control