Security News > 2022 > October > Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware
A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines.
"The attacker intends to utilize a victim's resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," Fortinet FortiGuard Labs researcher Cara Lin said in a Thursday report.
The issue, tracked as CVE-2022-22954, concerns a remote code execution vulnerability that stems from a case of server-side template injection.
Fortinet said it observed in August 2022 attacks that sought to weaponize the flaw to deploy the Mirai botnet on Linux devices as well as the RAR1Ransom and GuardMiner, a variant of the XMRig Monero miner.
RAR1ransom is also notable for leveraging the legitimate WinRAR utility to initiate the encryption process.
The findings are yet another reminder that malware campaigns continue to actively exploit recently disclosed flaws to break into unpatched systems, making it essential that users prioritize applying necessary security updates to mitigate such threats.
News URL
https://thehackernews.com/2022/10/multiple-campaigns-exploit-vmware.html
Related news
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability (source)
- CISA Warns of Active Exploits Targeting Trimble Cityworks Vulnerability (source)
- Triplestrength hits victims with triple trouble: Ransomware, cloud hijacks, crypto-mining (source)
- Researchers Find New Exploit Bypassing Patched NVIDIA Container Toolkit Vulnerability (source)
- China-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware (source)
- Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks (source)
- ⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists (source)
- US seizes domain of Garantex crypto exchange used by ransomware gangs (source)
- International cops seize ransomware crooks' favorite Russian crypto exchange (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-11 | CVE-2022-22954 | Code Injection vulnerability in VMWare products VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. | 9.8 |