Iran-linked APT Rocket Kitten exploited VMware bug in recent attacks

The Iran-linked APT group Rocket Kitten has been observed exploiting a recently patched CVE-2022-22954 VMware flaw.

Iran-linked Rocket Kitten APT group has been observed exploiting a recently patched CVE-2022-22954 VMware Workspace ONE Access flaw to deploy ‘Core Impact’ Backdoor.

The CVE-2022-22954 vulnerability is a server-side template injection remote code execution issue, it was rated 9.8 in severity.

“VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the security advisory. “A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.”

In Mid-April, the virtualization giant reported that threat actors are actively exploiting the critical vulnerability in VMware Workspace ONE Access and Identity Manager.

On April 14 and 15, Morphisec researchers spotted attacks attempting to exploit the VMware flaw, researchers from BleepingComputer also reported the hacking attempts.

“A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface. This means highest privileged access into any components of the virtualized host and guest environment. Affected firms face significant security breaches, ransom, brand damage, and lawsuits.” reads the post published Morphisec Labs. “As part of the attack chain, Morphisec has identified and prevented PowerShell commands executed as child processes to the legitimate Tomcat prunsrv.exe process application.”

Threat actors attempt to gain initial access to a target environment by exploiting the VMWare Identity Manager Service issue, then they deploy a PowerShell stager that downloads the next stage payload dubbed by PowerTrash Loader.

The PowerTrash Loader is a heavily obfuscated PowerShell script with approximately 40,000 lines of code.

In the final stage of the attack chain, PowerTrash Loader injects the penetration testing framework Core Impact into memory.

Morphisec attributes the attacks to the Iranian APT Rocket Kitten based on the tactics, techniques, and procedures used by the threat actors.

“The widespread use of VMWare identity access management combined with the unfettered remote access this attack provides is a recipe for devastating breaches across industries,” concludes the report. “VMWare customers should also review their VMware architecture to ensure the affected components are not accidentally published on the internet, which dramatically increases the exploitation risks.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

[adrotate banner=”5″]

[adrotate banner=”13″]