A now-patched vulnerability in VMware Workspace ONE Entry has been noticed being exploited to ship each cryptocurrency miners and ransomware on affected machines.
“The attacker intends to make the most of a sufferer’s sources as a lot as attainable, not solely to put in RAR1Ransom for extortion, but additionally to unfold GuardMiner to gather cryptocurrency,” Fortinet FortiGuard Labs researcher Cara Lin mentioned in a Thursday report.
The problem, tracked as CVE-2022-22954 (CVSS rating: 9.8), considerations a distant code execution vulnerability that stems from a case of server-side template injection.
Though the shortcoming was addressed by the virtualization companies supplier in April 2022, it has since come beneath energetic exploitation within the wild.
Fortinet mentioned it noticed in August 2022 assaults that sought to weaponize the flaw to deploy the Mirai botnet on Linux gadgets in addition to the RAR1Ransom and GuardMiner, a variant of the XMRig Monero miner.
The Mirai pattern is retrieved from a distant server and is designed to launch denial-of-service (DoS) and brute-force assaults aimed toward well-known IoT gadgets by making use of an inventory of default credentials.
The distribution of RAR1Ransom and GuardMiner, then again, is achieved by way of a PowerShell or a shell script relying on the working system. RAR1ransom can also be notable for leveraging the professional WinRAR utility to provoke the encryption course of.
The findings are one more reminder that malware campaigns proceed to actively exploit just lately disclosed flaws to interrupt into unpatched techniques, making it important that customers prioritize making use of needed safety updates to mitigate such threats.
