Critical Bug in VMware Products Is Used to Install Miners and Ransomware

Fortinet experts warn that hackers are still exploiting the critical bug in VMware Workspace ONE Access (CVE-2022-22954), thus spreading ransomware and cryptocurrency miners.

We also wrote that Some Versions of VMware Carbon Black Cause BSODs on Windows.

Let me remind you that the CVE-2022-22954 vulnerability is associated with remote arbitrary code execution and affects VMware Workspace ONE Access. The bug scored 9.8 out of 10 on the CVSS vulnerability rating scale, and VMware discovered and fixed the issue on April 6 this year. However, the attackers reversed this fix and within 48 hours created an exploit, which was then used to compromise yet unpatched servers.

In August, Fortinet analysts noticed a sudden surge in attempts to exploit this problem, as well as a major change in attacker tactics. If earlier, using CVE-2022-22954, hackers installed payloads that collected passwords and other data, as part of a new wave of attacks, the RAR1ransom ransomware, the GuardMiner miner for Monero mining, as well as another modification of the Mirai malware, which is used to build DDoS botnets, were distributed.

The Mirai sample that the experts found was downloaded from http://107[.]189[.]8[.]21/pedalcheta/cutie.x86_64 and relied on the control server at cnc.goodpackets[.]cc.

In addition to conducting DDoS attacks, the malware also tried to infect other devices by brute-forcing the administrator password. The researchers found the following list of passwords for popular IoT devices used by malware:

In turn, the distribution of RAR1Ransom and GuardMiner is carried out using PowerShell or shell scripts, depending on the OS. The researchers’ report notes that the RAR1ransom ransomware is also notable for using WinRAR to place the victim’s files in protected archives.

Fortinet experts summarize that CVE-2022-22954 is still dangerous, and those who have not yet done so are advised to fix the vulnerability as soon as possible.