Hackers are exploiting a critical remote code execution vulnerability, tracked as CVE-2022-22954, affecting VMware Workspace ONE Access to install backdoors. It was addressed in an update 20 days ago with two more vulnerabilities, CVE-2022-22957 and CVE-2022-22958 that affect VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
The researchers at Morphisec announced that they detected exploitation from advanced persistent threat actors, especially a hacker group from Iran tracked as APT35 or also known as Rocket Kitten. Morphisec announced that attackers are using initial access to an environment by exploiting a VMWare Identity Manager Service vulnerability.
Then the attacker deploys a PowerShell stager to download the next stage, PowerTrash Loader. Finally, an advanced penetration testing framework is injected into memory. Morphisec said,
« This new vulnerability is a server-side template injection that affects an Apache Tomcat component, and as a result, the malicious command is executed on the hosting server. As part of the attack chain, Morphisec has identified and prevented PowerShell commands executed as child processes to the legitimate Tomcat prunsrv.exe process application. A malicious actor with network access can use this vulnerability to achieve full remote code execution against VMware’s identity access management. Workspace ONE Access provides multi-factor authentication, conditional access, and single sign-on to SaaS, web, and native mobile apps. »