ClickCease Hackers exploit critical flaw in VMware Workspace One Access

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Hackers exploit critical flaw in VMware Workspace One Access

Obanla Opeyemi

November 4, 2022 - TuxCare expert team

Researchers from the cybersecurity company Fortinet have uncovered a malicious campaign in which attackers exploit a critical vulnerability in the VMware Workspace One Access to spread various types of malware, including the RAR1Ransom tool, which locks files in password-protected archives.

VMware Workspace ONE Access is designed to provide customers with faster access to SaaS, web and native mobile apps with multi-factor authentication, conditional access and single sign-on. Basically, it provides a faster, more secure user experience for users digital workspace. Some of its key offerings include delivering a consumer-like user experience for enterprise applications, faster onboarding of new applications, zero trust access and a smart digital workplace.

The vulnerability is tracked as CVE-2022-22954. It is a remote code execution flaw triggered through server-side template injection. In the observed campaigns, the threat actors use the Mira botnet for distributed denial-of-service (DDoS) attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.

In August, the attackers went from targeted data exfiltration attempts to cryptominers, file-tokens, and DDoS enlisting from a Miral variant, using Bash and PowerShell scripts to target Linux and Windows systems. The scripts fetch a list of files to launch on the compromised machine.

Some of the files downloaded by the PowerShell script “init.ps1” include: phpupdate.exe, an Xmrig Monero mining software; config.json: configuration file for mining pools; networkmanager.exe, an executable used to scan and spread infections; phpguard.exe, an executable used for guardian Xmrig miner to keep running; clean.bat, a script file to remove other cryptominers on the compromised host; encrypt.exe, a RAR1 ransomware.

The attackers use RAR1Ransom as a simple ransomware tool. The tool abuses WinRAR to compress the files of the victim and lock them with a password. RAR1Ransom target specific list of file types and eventually appends the “rart” extension. The malware then drops a ransom note requesting the payment of 2 XMR to a provided wallet address.

The sources for this piece include an article in BleepingComputer.

Summary
Hackers exploit critical flaw in VMware Workspace One Access
Article Name
Hackers exploit critical flaw in VMware Workspace One Access
Description
Researchers from the cybersecurity company Fortinet have uncovered a malicious campaign in which attackers exploit a critical vulnerability in the VMware Workspace One Access to spread various types of malware
Author
Publisher Name
Tuxcare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023