Security News > 2022 > April > Who is exploiting VMware right now? Probably Iran's Rocket Kitten, to name one

A team of Iranian cyber-spies dubbed Rocket Kitten, for one, is likely behind attempts to exploit a critical remote-code execution vulnerability in VMware's identity management software, according to endpoint security firm Morphisec.

VMware patched its flawed software on April 6, and attackers were not far behind.

A proof-of-concept exploit emerged on April 11, and two days later malicious exploitation was seen in the wild, according to Morphisec.

The security shop's analysis, published this week, claimed that advanced persistent threat groups are behind the exploitation, and have used the vulnerability to install HTTPS-based backdoors in victims' networks.

We're told the VMware server-side template injection flaw affects an Apache Tomcat component, and could allow Rocket Kitten, or any other miscreants, to execute malicious commands on a host server.

"As with other penetration testing frameworks, these aren't always used with good intentions," the researchers wrote, adding that Trend Micro founnd [PDF] "a modified version of Core Impact was used in the Woolen-GoldFish campaign tied to the Rocket Kitten APT35 group."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/26/iran_rocket_kitten_vmware_exploit/