Security News > 2022 > October > Hackers exploit critical VMware flaw to drop ransomware, miners
Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives.
Researchers at cybersecurity company Fortinet noticed in the newest campaigns that the threat actors deployed the Mira botnet for distributed denial-of-service attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.
In May, a report from AT&T Alien Labs warned about the flaw being added to the list of bugs targeted by EnemyBot.
RAR1Ransom is a simple ransomware tool that abuses WinRAR to compress the victim's files and lock them with a password.
Fortinet first reported about GuardMiner in 2020, describing it as a fully-fledged trojan that can exploit vulnerabilities for initial access, run PowerShell commands, and establish persistence by adding scheduled tasks and new accounts.
Although VMware released a fix for CVE-2022-22954 several months ago, Fortinet's report indicates that many systems remain vulnerable.
News URL
Related news
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- Critical SonicWall SSLVPN bug exploited in ransomware attacks (source)
- Hackers targeting WhatsUp Gold with public exploit since August (source)
- Exploit code released for critical Ivanti RCE flaw, patch now (source)
- Broadcom fixes critical RCE bug in VMware vCenter Server (source)
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)
- Critical VMware vCenter Server bugs fixed (CVE-2024-38812) (source)
- Microsoft: Vanilla Tempest hackers hit healthcare with INC ransomware (source)
- Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms (source)
- Week in review: Critical VMware vCenter Server bugs fixed, Apple releases iOS 18 (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-11 | CVE-2022-22954 | Code Injection vulnerability in VMWare products VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. | 10.0 |