Threat actors exploit critical flaw in VMware Workspace ONE Access to drop ransomware, miners

VMware Workspace ONE Access CVE-2022-22954

Threat actors are exploiting a now-patched vulnerability, tracked as CVE-2022-22954, in VMware Workspace ONE Access in attacks in the wild.

Threat actors are actively exploiting a now-patched vulnerability, tracked as CVE-2022-22954, in VMware Workspace ONE Access to deliver cryptocurrency miners and ransomware.

The issue causes server-side template injection due to because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. An attacker can trigger the vulnerability to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager.

Fortinet FortiGuard Labs researchers observed attacks in the wild primarily aimed at stealing sensitive data. In August, the experts detected a few particular payloads used to deploy Mirai samples targeting exposed networking devices running Linux. The Mirai variant involved in the attacks was used to launch DoS and brute force attacks.

Other payloads were used to deliver RAR1ransom and the GuardMiner cryptominer, which is a variant of xmrig. The RAR1Ransom and GuardMiner malware were distributed by using PowerShell or a shell script depending on the operating system.

“We can tell the attacker intends to utilize a victim’s resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency.” reads the Fortinet FortiGuard Labs report.

“Although the critical vulnerability CVE-2022-22954 is already patched in April, there are still multiple malware campaigns trying to exploit it. Users should always keep systems updated and patched and be aware of any suspicious process in environment.” concludes the report. “These Mirai variants, RAR1Ransom, and GuardMiner are not extremely complicated samples, but their methods are always changing and evolving.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VMware Workspace ONE Access)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.