The U.S. Cybersecurity and Infrastructure Security Agency has issued alerts about five software vulnerabilities that likely affect a large number of organizations.

Four of the vulnerabilities were found in VMware Inc. products. The fifth vulnerability affects a load balancer from F5 Inc., a publicly traded provider of data center equipment and software.

On April 6, VMware issued a patch for two vulnerabilities referred to as CVE 2022-22954 and CVE 2022-22960. The security flaws affect the company’s Workspace ONE Access, Identity Manager, vRealize Automation, VMware Cloud Foundation and vRealize Suite Lifecycle Manager products. 

In an alert published Wednesday, CISA detailed that hackers reverse-engineered VMware’s April 6 patch within 48 hours and began launching cyberattacks against vulnerable networks. The vulnerabilities makes affected systems susceptible to several types of cyberattacks. Hackers can use the security flaws to remotely run malicious code on affected systems, gain root access and gain administrative access. 

“CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954,” the agency stated. “Additionally, CISA has received information — including indicators of compromise (IOCs) — about observed exploitation at multiple other large organizations from trusted third parties.”

Separately, CISA issued an emergency directive about two newer security flaws that were found in the same VMware products affected by the first two vulnerabilities. VMware released an update for the two newer security flaws on Wednesday. They are tracked as CVE-2022-22972 and CVE-2022-22973.

Based on the cyberattacks targeting systems affected by the two earlier vulnerabilities, “CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973,” the agency stated. 

CISA has instructed all federal civilian agencies to install VMware’s patch for the two new vulnerabilities or remove affected systems by 5 p.m. EDT on Monday, May 23. Agencies must take additional steps to secure vulnerable VMware deployments that are accessible from the internet. When securing such deployments, information technology teams are instructed to “assume compromise, immediately disconnect from the production network, and conduct threat hunt activities,” CISA stated. 

The agency is encouraging other organizations to take similar steps. “CISA also encourages organizations with affected VMware products that are accessible from the internet to assume compromise and initiate threat hunting activities,” the agency stated.

The fifth security flaw for which CISA released an alert affects BIG-IP, a popular load balancer from F5 that organizations use to manage network traffic. Certain versions of the load balancer have been found to contain a vulnerability known as CVE-2022-1388. It “enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses,” CISA detailed. 

F5 released a patch for the vulnerability on May 4. Since then, CISA stated in the alert, proof-of-concept code demonstrating how to use the vulnerability to launch cyberattacks has been publicly released. The agency warned that hackers have already begun targeting affected systems. 

CISA and the Multi-State Information Sharing and Analysis Center believe that there will be widespread cyberattacks targeting affected systems going forward. Officials “strongly urge” administrators to secure vulnerable systems. Additionally, IT teams are being encouraged to check if their BIG-IP systems may have been hacked.

CISA has released technical resources to help IT teams detect potential signs of hacking. Moreover, the agency is encouraging organizations to take a number of additional steps to secure their BIG-IP deployments. CISA stated that organizations should, among others, ensure the load balancer’s management interface is not accessible from the internet.

Image: Unsplash