Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:06F5ECB1217B8E9B20CB0AC447D63E26
HistoryOct 21, 2022 - 2:56 p.m.

Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware

2022-10-2114:56:00
The Hacker News
thehackernews.com
153

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines.

β€œThe attacker intends to utilize a victim’s resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency,” Fortinet FortiGuard Labs researcher Cara Lin said in a Thursday report.

The issue, tracked as CVE-2022-22954 (CVSS score: 9.8), concerns a remote code execution vulnerability that stems from a case of server-side template injection. Although the shortcoming was addressed by the virtualization services provider in April 2022, it has since come under active exploitation in the wild.

Fortinet said it observed in August 2022 attacks that sought to weaponize the flaw to deploy the Mirai botnet on Linux devices as well as the RAR1Ransom and GuardMiner, a variant of the XMRig Monero miner.

The Mirai sample is retrieved from a remote server and is designed to launch denial-of-service (DoS) and brute-force attacks aimed at well-known IoT devices by making use of a list of default credentials.

The distribution of RAR1Ransom and GuardMiner, on the other hand, is achieved by means of a PowerShell or a shell script depending on the operating system. RAR1ransom is also notable for leveraging the legitimate WinRAR utility to lock files in password-protected archives.

Furthermore, GuardMiner comes with capabilities to propagate to other hosts by taking advantage of exploits for a number of remote code execution flaws in other software, including those in Apache Struts, Atlassian Confluence, and Spring Cloud Gateway.

The findings are yet another reminder that malware campaigns continue to actively exploit recently disclosed flaws to break into unpatched systems, making it essential that users prioritize applying necessary security updates to mitigate such threats.

Found this article interesting? Follow THN on Facebook, Twitter ο‚™ and LinkedIn to read more exclusive content we post.

Related

cnvd 1
ibm 10
githubexploit 26
checkpoint_advisories 2
threatpost 2
nessus 5
prion 2
hackerone 2
hivepro 4
thn 8
metasploit 1
cve 2
srcincite 1
packetstorm 1
osv 3
cisa_kev 1
zdt 1
nuclei 2
ubuntucve 1
github 1
attackerkb 4
veracode 1
redhatcve 1
rapid7blog 7
ics 3
f5 1
malwarebytes 2
cisa 1
vmware 1
qualysblog 2
oracle 3
cnvd
cnvd
Apache Struts Remote Code Execution Vulnerability (CNVD-2023-02478)
2022-04-15 00:00:00
ibm
ibm
Security Bulletin: CVE-2021-31805 may affect Apache Struts used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections
2022-06-09 08:07:55
Security Bulletin: CVE-2021-31805 may affect Apache Struts used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections
2022-06-09 07:32:28
Security Bulletin: Vulnerability in Apache Struts library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-31805)
2022-06-27 03:47:17
githubexploit
githubexploit
Exploit for Expression Language Injection in Apache Struts
2022-07-10 14:48:52
Exploit for Expression Language Injection in Apache Struts
2022-04-15 04:23:44
Exploit for Expression Language Injection in Apache Struts
2022-04-15 10:28:29
checkpoint_advisories
checkpoint_advisories
Apache Struts Remote Code Execution (CVE-2021-31805)
2022-05-02 00:00:00
VMware Workspace Remote Code Execution (CVE-2022-22954)
2022-04-27 00:00:00
threatpost
threatpost
Log4Shell Vulnerability Targeted in VMware Servers to Exfiltrate Data
2022-06-28 11:57:06
April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell
2022-05-18 13:54:23
nessus
nessus
VMware Workspace One Access / VMware Identity Manager Server-side Template Injection RCE (CVE-2022-22954)
2022-04-25 00:00:00
Oracle MySQL Enterprise Monitor (July 2022 CPU)
2022-07-20 00:00:00
Apache Struts 2.0.0 < 2.5.30 Possible Remote Code Execution vulnerability (S2-062)
2022-04-12 00:00:00
prion
prion
Remote code execution
2022-04-11 20:15:00
Remote code execution
2022-04-12 16:15:00
hackerone
hackerone
U.S. Dept Of Defense: β–ˆβ–ˆβ–ˆ vulnerable to CVE-2022-22954
2022-04-11 16:41:20
U.S. Dept Of Defense: β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ vulnerable to CVE-2022-22954
2022-04-11 15:17:31
hivepro
hivepro
Newly patched VMware vulnerability exploited by Iranian espionage group, Rocket Kitten
2022-04-26 12:44:24
Two actively exploited vulnerabilities affect multiple VMware products
2022-04-18 13:06:29
Vulnerabilities in VMware when chained together grants Full System Control
2022-05-19 14:34:51
thn
thn
Iranian Hackers Exploiting VMware RCE Bug to Deploy 'Core Impact' Backdoor
2022-04-26 06:18:00
Critical VMware Workspace ONE Access Flaw Under Active Exploitation in the Wild
2022-04-14 04:31:00
Critical VMware Cloud Director Bug Could Let Hackers Takeover Entire Cloud Infrastructure
2022-04-15 03:42:00
metasploit
metasploit
VMware Workspace ONE Access CVE-2022-22954
2022-05-02 23:51:46
cve
cve
CVE-2022-22954
2022-04-11 20:15:00
CVE-2021-31805
2022-04-12 16:15:00
srcincite
srcincite
SRC-2022-0005 : VMware Workspace ONE Access customError.ftl Server-side Template Injection Remote Code Execution Vulnerability
2022-02-25 00:00:00
packetstorm
packetstorm
VMware Workspace ONE Access Template Injection / Command Execution
2022-05-03 00:00:00
osv
osv
CVE-2022-22954
2022-04-11 20:15:19
Expression Language Injection in Apache Struts
2022-04-13 00:00:30
CVE-2021-31805
2022-04-12 16:15:08
cisa_kev
cisa_kev
VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability
2022-04-14 00:00:00
zdt
zdt
VMware Workspace ONE Access Template Injection / Command Execution Exploit
2022-05-04 00:00:00
nuclei
nuclei
VMware Workspace ONE Access - Server-Side Template Injection
2022-04-11 16:47:00
Apache Struts2 S2-062 - Remote Code Execution
2022-04-18 11:08:19
ubuntucve
ubuntucve
CVE-2021-31805
2022-04-12 00:00:00
github
github
Expression Language Injection in Apache Struts
2022-04-13 00:00:30
attackerkb
attackerkb
CVE-2022-22960
2022-04-13 00:00:00
CVE-2021-31805
2022-04-12 00:00:00
CVE-2022-22972
2022-05-26 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2022-04-13 04:46:59
redhatcve
redhatcve
CVE-2021-31805
2022-04-13 06:28:32
rapid7blog
rapid7blog
CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE
2022-08-05 15:13:15
Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954
2022-04-29 13:25:42
Metasploit Wrap-Up
2022-05-06 17:56:15
ics
ics
Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
2022-07-18 12:00:00
Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control
2022-06-02 12:00:00
2022 Top Routinely Exploited Vulnerabilities
2023-08-03 12:00:00
f5
f5
Apache Struts vulnerabilities CVE-2020-17530 and CVE-2021-31805
2020-12-22 01:45:00
malwarebytes
malwarebytes
VMWare vulnerabilities are actively being exploited, CISA warns
2022-05-19 12:42:13
2022's most routinely exploited vulnerabilitiesβ€”history repeats
2023-08-07 18:30:00
cisa
cisa
CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities
2022-05-18 00:00:00
vmware
vmware
VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities.
2022-04-06 00:00:00
qualysblog
qualysblog
Qualys Tackles 2022’s Top Routinely Exploited Cyber Vulnerabilities
2023-08-24 19:07:05
Identify Server-Side Attacks Using Qualys Periscope
2022-12-01 23:11:35
oracle
oracle
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - October 2022
2022-10-18 00:00:00
Oracle Critical Patch Update Advisory - July 2022
2022-07-19 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON
Related for THN:06F5ECB1217B8E9B20CB0AC447D63E26
cnvd1ibm10githubexploit26checkpoint_advisories2threatpost2nessus5prion2hackerone2hivepro4thn8metasploit1cve2srcincite1packetstorm1osv3cisa_kev1zdt1nuclei2ubuntucve1github1attackerkb4veracode1redhatcve1rapid7blog7ics3f51malwarebytes2cisa1vmware1qualysblog2oracle3