Security News > 2022 > October > Hackers exploit critical VMware flaw to drop ransomware, miners

Hackers exploit critical VMware flaw to drop ransomware, miners
2022-10-21 16:57

Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.

Researchers at cybersecurity company Fortinet noticed in the newest campaigns that the threat actors deployed the Mira botnet for distributed denial-of-service attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.

In May, a report from AT&T Alien Labs warned about the flaw being added to the list of bugs targeted by EnemyBot.

RAR1Ransom is a simple ransomware tool that abuses WinRAR to compress the victim's files and lock them with a password.

Fortinet first reported about GuardMiner in 2020, describing it as a fully-fledged trojan that can exploit vulnerabilities for initial access, run PowerShell commands, and establish persistence by adding scheduled tasks and new accounts.

Although VMware released a fix for CVE-2022-22954 several months ago, Fortinet's report indicates that many systems remain vulnerable.


News URL

https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmware-flaw-to-drop-ransomware-miners/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-04-11 CVE-2022-22954 Code Injection vulnerability in VMWare products
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection.
network
low complexity
vmware CWE-94
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591