Security News > 2022 > October > Hackers exploit critical VMware flaw to drop ransomware, miners
Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.
Researchers at cybersecurity company Fortinet noticed in the newest campaigns that the threat actors deployed the Mira botnet for distributed denial-of-service attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.
In May, a report from AT&T Alien Labs warned about the flaw being added to the list of bugs targeted by EnemyBot.
RAR1Ransom is a simple ransomware tool that abuses WinRAR to compress the victim's files and lock them with a password.
Fortinet first reported about GuardMiner in 2020, describing it as a fully-fledged trojan that can exploit vulnerabilities for initial access, run PowerShell commands, and establish persistence by adding scheduled tasks and new accounts.
Although VMware released a fix for CVE-2022-22954 several months ago, Fortinet's report indicates that many systems remain vulnerable.
News URL
Related news
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- Exploit code for critical GitLab auth bypass flaw released (CVE-2024-45409) (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware (source)
- Iranian hackers act as brokers selling critical infrastructure access (source)
- Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials (source)
- Hackers exploit Roundcube webmail flaw to steal email, credentials (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-04-11 | CVE-2022-22954 | Code Injection vulnerability in VMWare products VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. | 9.8 |