by Hackers have been exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency miners, a researcher at security firm Fortinet said on Thursday.
CVE-2022-22954 is a remote code execution vulnerability in VMware Workspace ONE Access that has a severity rating of 9.8 out of a possible 10. VMware disclosed and patched the vulnerability on April 6. Within 48 hours, the hackers reverse-engineered the update and developed a working exploit that they then used to compromise servers that had yet to install the fix. Access to VMware Workspace ONE helps administrators configure a set of applications that employees need in their work environments.
In August, Fortiguard Labs researchers noted a sudden spike in exploit attempts and a major change in tactics. Whereas before hackers installed payloads that harvest passwords and collect other data, the new wave brought something else, specifically ransomware known as RAR1ransom, a cryptocurrency miner known as GuardMiner, and Mirai, software that corrals Linux devices into a massive botnet for use in Distributed Denial of Service Attacks.
FortiGuard
“Although the critical vulnerability CVE-2022-22954 was already patched in April, there are still several malware campaigns trying to exploit it,” wrote Cara Lin, a researcher at Fortiguard Labs. The attackers, she added, were using it to inject a payload and achieve remote code execution on servers running the product.
The Mirai sample Lin saw installed was downloaded from http[:]//107[.]189[.]8[.]21/pedalcheta/petite[.]x86_64 and relied on a command and control server in “cnc[.]good packages[.]DC. In addition to delivering junk traffic used in DDoSes, the sample also attempted to infect other devices by guessing the administrative password they used. After decoding strings in the code, Lin found the following list of credentials used by the malware:
|
hikvision |
1234 |
windows1windows |
S2fGqNFs |
|
root |
tsgoingon |
new shine |
12345 |
|
flaw |
solo key |
neworange88888888 |
guest |
|
compartment |
Username |
new orange |
system |
|
059AnkJ |
telnet administrator |
tljwpbo6 |
iwkb |
|
141388 |
123456 |
20150602 |
00000000 |
|
adaptec |
20080826 |
vstarcam2015 |
v2mprt |
|
Administrator |
1001chin |
vhd1206 |
support for |
|
NULL |
xc3511 |
QwestM0dem |
7ujMko0admin |
|
client-bbsd |
vizxv |
fidel123 |
dvr2580222 |
|
par0t |
hg2x0 |
Samsung |
t0talc0ntr0l4! |
|
cablecom |
hunting5759 |
router |
zlxx |
|
point of sale |
flexion |
administrator@mimifi |
xmhdipc |
|
icatch99 |
key code |
evil |
netopia |
|
3com |
DOCSIS_APP |
hagpolm1 |
klv123 |
|
OxhlwSG8 |
In what appears to be a separate campaign, the attackers also exploited CVE-2022-22954 to download a 67-bit payload.[.]205[.]145[.]142. The payload included seven files:
- phpupdate.exe – Xmrig Monero mining software
- config.json – configuration file for mining pools
- networkmanager.exe – executable used to scan and spread infections
- phpguard.exe – executable used to keep the Xmrig guard miner running
- init.ps1 – script file itself to maintain persistence by creating scheduled tasks
- clean.bat – script file to remove other cryptominers on the compromised host
- encrypt.exe: RAR1 ransomware
In the event that RAR1ransom has never been installed before, the payload would first execute the encrypt.exe executable file. The archive places the legitimate WinRAR data compression executable file in a Windows temporary folder. The ransomware then uses WinRAR to compress user data into password-protected archives.
The payload would then initiate the GuardMiner attack. GuardMiner is a cross-platform mining Trojan for the Monero coin. It has been active since 2020.
The attacks underscore the importance of installing security updates in a timely manner. Anyone who has not yet installed the VMware April 6 patch should do so immediately.
