A VMware bug with a severity rating of 9.8 was exploited to install witches’ brew of malware

A researcher at security firm Fortinet said Thursday that hackers are exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency mining.

CVE-2022-22954 is a remote code execution vulnerability in VMware Workspace ONE Access that has a severity rating of 9.8 out of 10. VMware Detected and corrected The vulnerability is on April 6th. Within 48 hours, the hackers reverse engineered the update and developed a working vulnerability that they later used Server leveling that the hotfix has not yet been installed. Access to VMware Workspace ONE helps administrators configure the suite of applications employees need in their work environments.

In August, researchers at Fortiguard Labs saw a sudden rise in exploit attempts and a major shift in tactics. Whereas before hackers installed payloads that collect passwords and collect other data, the new boom brought something else — specifically, ransomware known as RAR1ransom, a cryptocurrency mining tool known as GuardMiner, and Mirai, programs that collect Linux machines in a huge bot network to use to distribute denial of service attacks.

Kara Lynn, Researcher at Fortiguard Labs Wrote. It added that attackers were using it to inject payload and remotely execute code on the servers running the product.

The Mirai model that Lin saw the install was downloaded from http[:]// 107[.]189[.]8[.]21 / Badalchita / Katie[.]x86_64 and relied on the cnc . command and control server[.]good packages[.]Copy. Besides delivering unwanted traffic used in DDoSes, the model also attempted to infect other machines by guessing the administrative password they used. After decoding the strings in the code, Lin found the following list of credentials that the malware had used: