Researchers at cybersecurity firm Morphisec Labs have warned of a new malicious campaign, which is exploiting a recently patched VMware RCE flaw to gain initial access and deploy a sophisticated Core Impact backdoor. Morphisec notes that the tactics, techniques, and procedures used in the observed attack are common among Iran-linked groups such as Rocket Kitten.
Tracked as CVE-2022-22954, the vulnerability is a code injection issue in VMware Workspace ONE Access and Identity Manager, which can be used for remote code execution on the target system. A remote attacker can send a specially crafted HTTP request and perform server-side template injection. The bug was patched on April 6, 2022, however, a week later VMware had cautioned that CVE-2022-22954 (a proof-of-concept exploit for this vulnerability was released on April 11) is already being used in active attacks.
Morphisec says that attackers can use this vulnerability to deploy ransomware or cryptomining malware as part of initial access, lateral movement, or privilege escalation. In the observed attack the threat actors have been exploiting the bug to launch reverse HTTPS backdoors, mainly Cobalt Strike, Metasploit, or Core Impact beacons. With privileged access, these types of attacks may be able to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR).
“VMWare is a $30 billion cloud computing and virtualization platform used by 500,000 organizations worldwide. A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface. This means highest privileged access into any components of the virtualized host and guest environment. Affected firms face significant security breaches, ransom, brand damage, and lawsuits,” the researchers warned.