Get Help Now


Date: 5/23/2022

Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control


CISA is releasing this Cybersecurity Advisory (CSA) to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager

Potential Impact

Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960).

Recommended Actions

If administrators discover system compromise, CISA recommends they:

Immediately isolate affected systems. 

Collect and review relevant logs, data, and artifacts.

Consider soliciting support from a third-party incident response organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.

Report incidents to CISA via CISA’s 24/7 Operations Center ( or 888-282-0870)

Additional Mitigations

CISA recommends organizations update impacted VMware products to the latest version or remove impacted versions from organizational networks. CISA does not endorse alternative mitigation options. As noted in ED 22-03 Mitigate VMware Vulnerabilities, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. ED 22-03 directs all Federal Civilian Executive Branch agencies to enumerate all instances of impacted VMware products and deploy updates in VMware Security Advisory VMSA-2022-0014 or to remove the affected software from the agency network until the updates can be applied.

ED 22-03 Mitigate VMware Vulnerabilities
VMware Security Advisory VMSA-2022-0011
VMware Security Advisory VMSA-2022-0014

Ransomware Spotlight:  Ransome EXX


RansomEXX is a ransomware variant that gained notoriety after a spate of attacks in 2020 and continues to be active today. Via security company Trend Micro, lets look at RansomEXX’s tactics, techniques, and procedures.

Potential Impact

This marks the first time a major Windows ransomware strain has been ported to Linux to aid hackers in their targeted intrusions.

The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, Montreal’s public transportation system, and, most recently, against Brazil’s court system (STJ).

RansomEXX is what security researchers call a “big-game hunter” or “human-operated ransomware.” These two terms are used to describe ransomware groups that hunt large targets in search for big paydays, knowing that some companies or government agencies can’t afford to stay down while they recover their systems.

In recent months, in many incidents, some ransomware gangs haven’t bothered encrypting workstations, and have first and foremost, targeted crucial servers inside a company’s network, knowing that by taking down these systems first, companies wouldn’t be able to access their centralized data troves, even if workstations were unaffected.

The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server.

General Recommended Actions

Configuring systems to detect RansomEXX Linux variants isn’t a solid strategy because of the way big-game hunter ransomware crews operate. By the time attackers deploy the ransomware, they already own most of a company’s network. The best strategy companies can take against these types of intrusions is to secure network perimeters by applying security patches to gateway devices and by making sure they are not misconfigured with weak or default credentials.

Further learning from this campaign indicates that users should only download files from trusted and legitimate sources to prevent the entry of malicious files into their system. Users should avoid enabling macros and should be wary of documents that prompt them to do so.


380,000 Kubernetes API Instances Exposed


On May 17, 2022, the ShadowServer Foundation reported finding 380,000 Kubernetes API (Application Programming Interface) instances exposed on the internet.  Kubernetes is a popular framework used to automate administration of cloud services.  The Foundation stated that “it is likely that this level of access was not intended, and these instances are an unnecessarily exposed attack surface”.

Potential Impact

The GreyCastle Security Incident Response Team (GCSIRT) often finds that attackers gain their initial foothold into victim networks through administrative portals exposed to the internet.  In many cases, victims are unaware that these portals were exposed before attacks were underway.

Recommended Actions

Often, administrative APIs or portals are exposed to the internet in the course of service setup, configuration changes, or testing.  For example, if an administrator is setting up a VPN tunnel between two firewalls, she might expose the administrative interfaces on these firewalls to the internet so that the VPN tunnel can be set up.  After setup is finished, she should disable internet access to the firewall admin interfaces.  Exposing an administrative API or portal to the internet should be a conscious decision.  Whenever possible, services such as these should be kept  on a private network, requiring a VPN connection to gain access.  If administrative portals must be exposed to the internet, they should be protected by multi-factor authentication.  Organizations should regularly scan all information assets for vulnerabilities, and review any informational findings, which should enumerate all exposed services.

Over 380 000 open Kubernetes API servers | The Shadowserver Foundation

Deadbolt Ransomware Targets QNAP Devices


QNAP devices exposed to the Internet are being targeted by threat actors deploying the Deadbolt variant of ransomware. This new wave of attacks is the third time since the beginning of 2022 that publicly accessible QNAP devices are being targeting by this variant.

Potential Impact

Execution of Deadbolt ransomware will encrypt all files stored on the targeted QNAP device. There may also be crypto miners or backdoors dropped by the threat actors.

Recommended Actions

Targeted devices are TS-x51 series and TS-x53 series appliances running on QTS 4.3.6 and QTS 4.4.1. Customers are urged to check and update QTS to the latest version and avoid exposing the devices to the Internet.


For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

For non-strategic clients, please reach out to your Advisor for further discussion.

Let’s Discuss Your Cybersecurity Needs

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us