9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines.
βThe attacker intends to utilize a victimβs resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency,β Fortinet FortiGuard Labs researcher Cara Lin said in a Thursday report.
The issue, tracked as CVE-2022-22954 (CVSS score: 9.8), concerns a remote code execution vulnerability that stems from a case of server-side template injection. Although the shortcoming was addressed by the virtualization services provider in April 2022, it has since come under active exploitation in the wild.
Fortinet said it observed in August 2022 attacks that sought to weaponize the flaw to deploy the Mirai botnet on Linux devices as well as the RAR1Ransom and GuardMiner, a variant of the XMRig Monero miner.
The Mirai sample is retrieved from a remote server and is designed to launch denial-of-service (DoS) and brute-force attacks aimed at well-known IoT devices by making use of a list of default credentials.
The distribution of RAR1Ransom and GuardMiner, on the other hand, is achieved by means of a PowerShell or a shell script depending on the operating system. RAR1ransom is also notable for leveraging the legitimate WinRAR utility to lock files in password-protected archives.
Furthermore, GuardMiner comes with capabilities to propagate to other hosts by taking advantage of exploits for a number of remote code execution flaws in other software, including those in Apache Struts, Atlassian Confluence, and Spring Cloud Gateway.
The findings are yet another reminder that malware campaigns continue to actively exploit recently disclosed flaws to break into unpatched systems, making it essential that users prioritize applying necessary security updates to mitigate such threats.
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C