Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

Critical Bug in VMware Products Is Used to Install Miners and Ransomware

Now Reading
Critical Bug in VMware Products Is Used to Install Miners and Ransomware

Fortinet experts warn that hackers are still exploiting the critical bug in VMware Workspace ONE Access (CVE-2022-22954), thus spreading ransomware and cryptocurrency miners.

We also wrote that Some Versions of VMware Carbon Black Cause BSODs on Windows.

Let me remind you that the CVE-2022-22954 vulnerability is associated with remote arbitrary code execution and affects VMware Workspace ONE Access. The bug scored 9.8 out of 10 on the CVSS vulnerability rating scale, and VMware discovered and fixed the issue on April 6 this year. However, the attackers reversed this fix and within 48 hours created an exploit, which was then used to compromise yet unpatched servers.

In August, Fortinet analysts noticed a sudden surge in attempts to exploit this problem, as well as a major change in attacker tactics. If earlier, using CVE-2022-22954, hackers installed payloads that collected passwords and other data, as part of a new wave of attacks, the RAR1ransom ransomware, the GuardMiner miner for Monero mining, as well as another modification of the Mirai malware, which is used to build DDoS botnets, were distributed.

Critical bug in VMware

The Mirai sample that the experts found was downloaded from http://107[.]189[.]8[.]21/pedalcheta/cutie.x86_64 and relied on the control server at cnc.goodpackets[.]cc.

In addition to conducting DDoS attacks, the malware also tried to infect other devices by brute-forcing the administrator password. The researchers found the following list of passwords for popular IoT devices used by malware:

hikvision 1234 win1dows S2fGqNFs
root tsgoingon newsheen 12345
default solokey neworange88888888 guest
bin user neworang system
059AnkJ telnetadmin tlJwpbo6 iwkb
141388 123456 20150602 00000000
adaptec 20080826 vstarcam2015 v2mprt
Administrator 1001chin vhd1206 support
NULL xc3511 QwestM0dem 7ujMko0admin
bbsd-client vizxv fidel123 dvr2580222
par0t hg2x0 samsung t0talc0ntr0l4!
cablecom hunt5759 epicrouter zlxx
pointofsale nflection admin@mimifi xmhdipc
icatch99 password daemon netopia
3com DOCSIS_APP hagpolm1 klv123

In turn, the distribution of RAR1Ransom and GuardMiner is carried out using PowerShell or shell scripts, depending on the OS. The researchers’ report notes that the RAR1ransom ransomware is also notable for using WinRAR to place the victim’s files in protected archives.

Fortinet experts summarize that CVE-2022-22954 is still dangerous, and those who have not yet done so are advised to fix the vulnerability as soon as possible.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response