Hackers exploit critical flaw in VMware Workspace One Access
Researchers from the cybersecurity company Fortinet have uncovered a malicious campaign in which attackers exploit a critical vulnerability in the VMware Workspace One Access to spread various types of malware, including the RAR1Ransom tool, which locks files in password-protected archives.
VMware Workspace ONE Access is designed to provide customers with faster access to SaaS, web and native mobile apps with multi-factor authentication, conditional access and single sign-on. Basically, it provides a faster, more secure user experience for users digital workspace. Some of its key offerings include delivering a consumer-like user experience for enterprise applications, faster onboarding of new applications, zero trust access and a smart digital workplace.
The vulnerability is tracked as CVE-2022-22954. It is a remote code execution flaw triggered through server-side template injection. In the observed campaigns, the threat actors use the Mira botnet for distributed denial-of-service (DDoS) attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.
In August, the attackers went from targeted data exfiltration attempts to cryptominers, file-tokens, and DDoS enlisting from a Miral variant, using Bash and PowerShell scripts to target Linux and Windows systems. The scripts fetch a list of files to launch on the compromised machine.
Some of the files downloaded by the PowerShell script “init.ps1” include: phpupdate.exe, an Xmrig Monero mining software; config.json: configuration file for mining pools; networkmanager.exe, an executable used to scan and spread infections; phpguard.exe, an executable used for guardian Xmrig miner to keep running; clean.bat, a script file to remove other cryptominers on the compromised host; encrypt.exe, a RAR1 ransomware.
The attackers use RAR1Ransom as a simple ransomware tool. The tool abuses WinRAR to compress the files of the victim and lock them with a password. RAR1Ransom target specific list of file types and eventually appends the “rart” extension. The malware then drops a ransom note requesting the payment of 2 XMR to a provided wallet address.
The sources for this piece include an article in BleepingComputer.