A recently patched vulnerability in VMware Workspace ONE Access has been leveraged to distribute both cryptocurrency mining malware and ransomware across affected systems. This information comes from Fortinet’s FortiGuard Labs, where researcher Cara Lin highlighted that the attackers aim to exploit victims’ resources extensively. The goal appears to involve not only the installation of RAR1Ransom for financial extortion but also the deployment of GuardMiner to mine cryptocurrency.
The vulnerability in question is tracked as CVE-2022-22954, rated at a critical CVSS score of 9.8. It is a remote code execution flaw associated with server-side template injection. Though VMware promptly issued patches in April 2022, the exploitation of this vulnerability has been actively observed in the wild, presenting significant risks to unpatched systems.
Fortinet’s analysis indicated that in August 2022, attackers utilized this vulnerability to propagate the Mirai botnet among Linux systems, in addition to the RAR1Ransom and GuardMiner miner, which targets Monero cryptocurrency. This reflects a growing trend where malware campaigns exploit zero-day vulnerabilities to infiltrate systems without proper security measures.
The Mirai variant exploits a list of default credentials to conduct denial-of-service (DoS) and brute-force attacks on well-known Internet of Things (IoT) devices. Meanwhile, RAR1Ransom and GuardMiner leverage PowerShell or shell scripts, depending on the operating system of the target, to infiltrate systems. RAR1Ransom notably uses the widely recognized WinRAR tool to secure files within password-protected archives.
Furthermore, GuardMiner is designed to spread to additional hosts by exploiting various remote code execution vulnerabilities, including those in Apache Struts, Atlassian Confluence, and Spring Cloud Gateway. This capability allows it to persist and escalate privileges within compromised networks.
These events serve as a critical reminder that cybercriminals remain vigilant in exploiting newly disclosed vulnerabilities. The ongoing threat underscores the necessity for businesses to prioritize timely software updates and further fortify their security postures. Deploying the appropriate countermeasures and ensuring that no systems remain unpatched are essential steps for organizations looking to mitigate risks associated with cyber-attacks.