An espionage group from Iran, tracked as Rocket Kitten has begun exploiting a recently patched critical vulnerability in VMware Workspace ONE Access/Identity Manager technology to deliver the Core Impact penetration testing tool on vulnerable systems.
VMware disclosed the RCE vulnerability tracked as CVE-2022-22954, and released updates to patch it. VMware identified the RCE vulnerability as a server-side template injection issue that could be used for remote code execution. The software vendor assigned it a severity ranking of 9.8 on a scale of 10 because of the flaw, that allows attackers to gain the highest privileged access in compromised environments.
Days after the flaw was disclosed, the PoC code for it became publicly available on Twitter. Shortly thereafter, threat actors reportedly began attacking the flaw to install cryptocurrency coin miners on vulnerable servers.
Attackers who used it to gain access to vulnerable networks and launch reverse HTTPS backdoors such as Core Impact, Cobalt Strike, and Metasploit beacons. The TTP of the attackers suggested a link to Rocket Kitten, the security vendor said.
The presence of the Core Impact backdoor on the targeted network, he says, is an indication that an APT group was behind it, simply because of how rarely the backdoor has been used by others.
This new vulnerability is a server-side template injection in an Apache Tomcat component of VMware’s Workspace ONE Access/Identity Manager that allows remote commands to be executed on the hosting server. The flaw greatly heightens the risk of ransomware attacks and significant security breaches for organizations using vulnerable technology.
The typical attacker after gaining initial access to the vulnerable system deployed a PowerShell stager on it that in turn downloaded a highly obfuscated PowerShell script called Power Trash Loader. The loader then loaded a Core Impact agent in system memory without leaving a trace of forensic evidence.
Organizations are urged to update the applicable patches as soon as possible to get real protection from the threat actors, exploiting the flaw in the wild. Apply the applicable workarounds if not able to apply patches