Security News > 2022 > October > Hackers exploit critical VMware flaw to drop ransomware, miners
Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.
Researchers at cybersecurity company Fortinet noticed in the newest campaigns that the threat actors deployed the Mira botnet for distributed denial-of-service attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.
In May, a report from AT&T Alien Labs warned about the flaw being added to the list of bugs targeted by EnemyBot.
RAR1Ransom is a simple ransomware tool that abuses WinRAR to compress the victim's files and lock them with a password.
Fortinet first reported about GuardMiner in 2020, describing it as a fully-fledged trojan that can exploit vulnerabilities for initial access, run PowerShell commands, and establish persistence by adding scheduled tasks and new accounts.
Although VMware released a fix for CVE-2022-22954 several months ago, Fortinet's report indicates that many systems remain vulnerable.
News URL
Related news
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- US charges Chinese hackers linked to critical infrastructure breaches (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- CISA: Medusa ransomware hit over 300 critical infrastructure orgs (source)
- New SuperBlack ransomware exploits Fortinet auth bypass flaws (source)
- Live Ransomware Demo: See How Hackers Breach Networks and Demand a Ransom (source)
- Hackers Exploit Severe PHP Flaw to Deploy Quasar RAT and XMRig Miners (source)
- Stealthy Apache Tomcat Critical Exploit Bypasses Security Filters: Are You at Risk? (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-11 | CVE-2022-22954 | Code Injection vulnerability in VMWare products VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. | 9.8 |