Hackers are exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency miners, a researcher at security firm Fortinet said Thursday.
CVE-2022-22954 is a remote code execution vulnerability in VMware Workspace ONE Access with a priority rating of 9.8 out of a possible 10. VMware disclosed and patched the vulnerability on April 6. Within 48 hours, hackers reverse engineered the update and developed a working exploit that they then used to compromise servers that had yet to install the fix. VMware Workspace ONE access helps administrators configure a suite of apps that employees need in their work environment.
In August, researchers at Fortiguard Labs saw a sudden spike in exploit attempts and a major shift in tactics. While before the hackers installed payloads that collected passwords and collected other data, the new wave brought with it something else, most notably ransomware known as RAR1ransom, a cryptocurrency miner known as GuardMiner, and Mirai, software that assembles Linux devices into a massive botnet for use in distributed denial-of-service attacks.
FortiGuard
“Although the critical vulnerability CVE-2022-22954 was patched as early as April, there are still multiple malware campaigns attempting to exploit it,” wrote Fortiguard Labs researcher Cara Lin. Attackers, she added, used it to inject a payload and run code remotely on servers running the product.
The Mirai example that Lin saw installing was downloaded from http[:]//107[.]189[.]8[.]21/pedalcheta/cutie[.]x86_64 and trusted a command and control server on “cnc”[.]good packages[.]cc. In addition to delivering junk traffic used in DDoSes, the monster also tried to infect other devices by guessing the administrator password they were using. After decoding strings in the code, Lin found the following list of credentials that the malware used:
|
hikvision |
1234 |
Windows |
S2fGqNFs |
|
carrot |
tsgoingon |
news items |
12345 |
|
standard |
solo key |
neworange88888888 |
guest |
|
bin |
user |
neworang |
system |
|
059AnkJ |
telnetadmin |
tlJwpbo6 |
iwkb |
|
141388 |
123456 |
20150602 |
00000000 |
|
adapter |
20080826 |
vstarcam2015 |
v2mprt |
|
Administrator |
1001kin |
vhd1206 |
support |
|
ZERO |
xc3511 |
QwestM0dem |
7ujMko0admin |
|
bbsd client |
vizxv |
fidel123 |
dvr2580222 |
|
par0t |
hg2x0 |
Samsung |
t0talc0ntr0l4! |
|
cable communication |
hunt5759 |
epic router |
zlxx |
|
point of sale |
inflection |
admin@mimifi |
xmhdipc |
|
icatch99 |
password |
demon |
netopia |
|
3com |
DOCSIS_APP |
hagpolm1 |
klv123 |
|
OxhlwSG8 |
In what appears to be a separate campaign, attackers also exploited CVE-2022-22954 to download a payload of 67[.]205[.]145[.]142. The payload included seven files:
- phpupdate.exe: Xmrig Monero mining software
- config.json: Mypools config file
- networkmanager.exe: Executable file used to scan and distribute infections
- phpguard.exe: Executable file used for guardian Xmrig miner to keep running
- init.ps1: Script file itself to maintain persistence by creating scheduled task
- clean.bat: Script file to remove other cryptominers on the compromised host
- encrypt.exe: RAR1 ransomware
In case RAR1ransom has never been installed before, the payload will run the executable file encrypt.exe first. The file places the legitimate WinRAR data compression file in a temporary Windows folder. The ransomware then uses WinRAR to compress user data into password-protected files.
The payload would then launch the GuardMiner attack. GuardMiner is a cross-platform mining Trojan for the Monero currency. It has been active since 2020.
The attacks underline the importance of installing security updates in a timely manner. Anyone who has yet to install VMware’s April 6 patch should do so right away.
