Threat actors exploit critical flaw in VMware Workspace ONE Access to drop ransomware, miners

Threat actors are exploiting a now-patched vulnerability, tracked as CVE-2022-22954, in VMware Workspace ONE Access in attacks in the wild.

Threat actors are actively exploiting a now-patched vulnerability, tracked as CVE-2022-22954, in VMware Workspace ONE Access to deliver cryptocurrency miners and ransomware.

The issue causes server-side template injection due to because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. An attacker can trigger the vulnerability to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager.

Fortinet FortiGuard Labs researchers observed attacks in the wild primarily aimed at stealing sensitive data. In August, the experts detected a few particular payloads used to deploy Mirai samples targeting exposed networking devices running Linux. The Mirai variant involved in the attacks was used to launch DoS and brute force attacks.

Other payloads were used to deliver RAR1ransom and the GuardMiner cryptominer, which is a variant of xmrig. The RAR1Ransom and GuardMiner malware were distributed by using PowerShell or a shell script depending on the operating system.

“We can tell the attacker intends to utilize a victim’s resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency.” reads the Fortinet FortiGuard Labs report.

“Although the critical vulnerability CVE-2022-22954 is already patched in April, there are still multiple malware campaigns trying to exploit it. Users should always keep systems updated and patched and be aware of any suspicious process in environment.” concludes the report. “These Mirai variants, RAR1Ransom, and GuardMiner are not extremely complicated samples, but their methods are always changing and evolving.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VMware Workspace ONE Access)

[adrotate banner=”5″]

[adrotate banner=”13″]