Technology

A VMware bug with a severity rating of 9.8 was exploited to install witches’ brew of malware

A VMware bug with a severity rating of 9.8 was exploited to install witches’ brew of malware

A VMware bug with a severity rating of 9.8 was exploited to install witches’ brew of malware

A VMware bug with a severity rating of 9.8 was exploited to install witches’ brew of malware

A researcher at security firm Fortinet said Thursday that hackers are exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency mining.

CVE-2022-22954 is a remote code execution vulnerability in VMware Workspace ONE Access that has a severity rating of 9.8 out of 10. VMware Detected and corrected The vulnerability is on April 6th. Within 48 hours, the hackers reverse engineered the update and developed a working vulnerability that they later used Server leveling that the hotfix has not yet been installed. Access to VMware Workspace ONE helps administrators configure the suite of applications employees need in their work environments.

In August, researchers at Fortiguard Labs saw a sudden rise in exploit attempts and a major shift in tactics. Whereas before hackers installed payloads that collect passwords and collect other data, the new boom brought something else — specifically, ransomware known as RAR1ransom, a cryptocurrency mining tool known as GuardMiner, and Mirai, programs that collect Linux machines in a huge bot network to use to distribute denial of service attacks.

FortiGuard

Kara Lynn, Researcher at Fortiguard Labs Wrote. It added that attackers were using it to inject payload and remotely execute code on the servers running the product.

The Mirai model that Lin saw the install was downloaded from http[:]// 107[.]189[.]8[.]21 / Badalchita / Katie[.]x86_64 and relied on the cnc . command and control server[.]good packages[.]Copy. Besides delivering unwanted traffic used in DDoSes, the model also attempted to infect other machines by guessing the administrative password they used. After decoding the strings in the code, Lin found the following list of credentials that the malware had used:

Hikvision

1234

win1dows

S2fGqNFs

root

Tiskingon

our news

12345

hypothetical

Soloki

neworange88888888

visitor

Wastebasket

user

new people

the system

059AnkJ

telnetadmin

tlJwpbo6

iwkb

141388

123456

20150602

00000000

Adaptec

20080826

I wake up in 2015

v2 mprt

boss

1001 shin

vhd1206

the support

no thing

xc3511

QwestM0dem

7ujMko0admin

bbsd-client

PhysXV

fidel123

dvr2580222

bar 0

hg2x0

Samsung

t0talc0ntr0l4!

cable com

hunt5759

epicrotter

zlxxx

selling point

Neflection

admin @ mimifi

xmhdipc

icatch99

The password

Satan

ntopia

3 com

DOCSIS_APP

Hagbolm 1

klv123

OxhlwSG8

In what appears to be a separate campaign, the attackers also exploited CVE-2022-22954 to download a payload of 67[.]205[.]145[.]142- The package included seven files:

  • phpupdate.exe: Xmrig Monero . Mining Program
  • config.json: configuration file for mining pools
  • networkmanager.exe: An executable used to scan and spread infections
  • phpguard.exe: An executable used for the Xmrig guardian miner to keep running
  • init.ps1: The script file itself to maintain persistence by creating a scheduled task
  • clean.bat: a text file to remove other encryption tools on the compromised host
  • encrypt.exe: RAR1 ransomware

If RAR1ransom has not been installed before, the payload will first run the encrypt.exe executable. The file drops a legitimate WinRAR data compression executable into a temporary Windows folder. The ransomware then uses WinRAR to compress user data into password-protected files.

The payload will then start a GuardMiner attack. GuardMiner is a cross-platform mining trojan for Monero. It has been active since 2020.

The attacks emphasize the importance of installing security updates in a timely manner. Anyone who has not yet installed the April 6 patch for VMware should do so at once.



#VMware #bug #severity #rating #exploited #install #witches #brew #malware

مقالات ذات صلة

اترك تعليقاً

لن يتم نشر عنوان بريدك الإلكتروني. الحقول الإلزامية مشار إليها بـ *

زر الذهاب إلى الأعلى
سيتات آورج 2022 سيتات آورج 2022