Threat Signal Report

Active Exploitation of WSO2 Vulnerability (CVE-2022-29464) Delivers Malware

description-logo Description

FortiGuard Labs is aware that a WSO2 vulnerability (CVE-2022-29464) that was patched in February 2022 and was disclosed in April is still being actively exploited in the field. CVE-2022-29464 is an unrestricted arbitrary file upload, and remote code execution vulnerability that allows unauthenticated and remote attackers to execute arbitrary code in the vulnerable WSO2 products.


Why is this Significant?

This is significant because despite the fact CVE-2022-29464 was patched in February and was disclosed in April, the vulnerability is still being actively exploited. This means that attacks that leverage CVE-2022-29464 have some level of success rate even now. With the vulnerability being actively exploited and a Proof-of-Concept (POC) code became publicly available in late April. users and administrators should review the WSO2's advisory and apply the patch or necessary workaround.


Also, CVE-2022-29464 is included in the CISA's Known Exploited Vulnerabilities Catalog, which lists vulnerabilities that US federal agencies are required to patch their information systems within specific timeframes and deadlines.



What is CVE-2022-29464?

CVE-2022-29464 is a vulnerability in multiple WSO2 products that allows unauthenticated and remote attackers to execute arbitrary code on the affected systems. The vulnerability is rated Critical and has a CVSS Score of 9.8.


The advisory has the following products as vulnerable:


WSO2 API Manager 2.2.0, up to 4.0.0

WSO2 Identity Server 5.2.0, up to 5.11.0

WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0

WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0

WSO2 Enterprise Integrator 6.2.0, up to 6.6.0

WSO2 Open Banking AM 1.4.0, up to 2.0.0

WSO2 Open Banking KM 1.4.0, up to 2.0.0



What Malware were Deployed after Successful Exploitation of CVE-2022-29464?

Cobalt Strike, backdoor, cryptocoin miner and hacktool are reported to have been deployed to the compromised systems.



Has the Vendor Released an Advisory?

Yes. See the Appendix for a link to "Security Advisory WSO2-2021-1738".



Has the Vendor Released a Patch for CVE-2022-29464?

Yes. According to the WSO's advisory, WSO2 released temporary mitigations in January 2022 and released permanent fixes for all the supported product versions in February.



What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against files associated with CVE-2022-29464:


W64/Agent.CY!tr

ELF/Agent.AR!tr

ELF/BitCoinMiner.HF!tr

Java/Agent.AUJ!tr

Java/Webshell.E!tr

Java/Webshell.0CC4!tr

Riskware/Generic.H2

Malicious_Behavior.SB


FortiGuard Labs provides the following IPS coverage against CVE-2022-29464:

WSO2.fileupload.Arbitrary.File.Upload (default action is set to pass)


Known network IOCs for CVE-2022-29464 are blocked by the WebFiltering client.

Telemetry


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.