Multiple campaigns are using CVE-2022-22954 to drop ransomware, coin miners and Mirai [299 words].
What: Multiple malicious campaigns are actively targeting a previously disclosed and now patched remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager (CVE-2022-22954). Researchers from Fortinet’s FortiGuard Labs on Thursday said they had observed threat actors exploiting the vulnerability to deploy Mirai botnet malware as well as RAR1 ransomware payloads and the GuardianMiner cryptocurrency mining tool on exposed systems. The vulnerability stems from a lack of input sanitization on the “deviceUdid” and “devicetype” parameters. Malicious actors with network access can leverage the vulnerability to trigger a server-side template injection that could lead to remote code injection,
Why it matters: The US Cybersecurity and Infrastructure Security Agency (CISA) had issued an emergency directive over the same vulnerability on May 18th over concerns that it posed an “unacceptable risk” to federal agencies. At the time, CISA had warned about multiple threat actors including potentially advanced persistent threat groups abusing the flaw to execute arbitrary code on affected systems. CISA said that in some attacks, threat actors were observed chaining CVE-2022-22954 with another privilege escalation bug in VMware Workspace ONE Access, Identity Manager and vRealize Automation tracked as CVE-2022-22960. In one incident, an unauthenticated attacker used CVE-2022-22954 to execute an arbitrary shell command in the context of the VMware use and then exploited CVE-2022-22960 to escalate the user’s privileges to root. The actor used the access to wipe logs, escalate permissions, and move laterally, CISA had warned.
CISA added CVE-2022-29954 to its Known Exploited Vulnerabilities catalog on April 14. Federal agencies had until May 5th to address the issue.
Details: