Critical VMware RCE flaw is being exploited by advanced hackers to install backdoors.
CVE-2022-22954 vulnerability affects the VMware Workspace ONE Access earlier known as VMware Identity Manager.
20 days ago the issue was addressed in addition to two more RCEs – CVE-2022-22957 and CVE-2022-22958, which also affect VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Hackers were able to gain insight with the public disclosure of the flaws, proof of concept (PoC) exploit code enabling them to leverage attacks on vulnerable VMware product deployments. VMware confirmed CVE-2022-22954 exploitation in the wild.
According to Morphisec researchers they witnessed exploitation from advanced persistent threat (APT) actors, especially from an Iranian hacking group tracked as APT35, aka “Rocket Kitten.”
After exploiting the CVE-2022-22954 vulnerability the bad actors manage to get initial access to the environment. It is the only one in the RCE trio that does not require administrative access to the target server and also has a publicly available PoC exploit.
Later it starts executing a PowerShell command on the vulnerable service (Identity Manager) and launches a stager. The stager fetches the PowerTrash loader from the command and control (C2) server in an obscure form and loads the Core Impact agent into the system memory.According to Trend Micro the Core impact was abused in the past by APT35, the activity dating as far back as 2015. Core Impact is a legit penetration tool used for nefarious purposes in this case, similar to how Cobalt Strike is deployed in malicious campaigns.
Morphisec in a blog post said, “Morphisec research observed attackers already exploiting this vulnerability (CVE-2022-22954) to launch reverse HTTPS backdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons.”
Morphisec CTO Michael Gorelik further wrote, “With privileged access, these types of attacks may be able to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR).”