Rocket Kitten, an Iran-linked APT group, is abusing a recently patched flaw in VMware Workspace ONE Access. The flaw CVE-2022-22954 is abused to deploy Core Impact Backdoor.
The widespread use of VMWare identity access management, along with unfettered remote access, provides a large surface to facilitate destructive breaches across industries.
The exploitation of the flaw
A few weeks ago, VMware reported that attackers were found actively exploiting a critical vulnerability in VMware software. On April 14 and 15, researchers spotted attacks trying to exploit the flaw in the wild.
- As part of the attack chain, researchers have identified and stopped PowerShell commands executed as child processes to the genuine Tomcat prunsrv[.]exe process application.
- The attackers tried to gain initial access to a target environment by abusing the VMWare Identity Manager Service bug and deployed a PowerShell stager to download PowerTrash Loader.
- In the final stage, the PowerTrash Loader is used to inject the Core Impact backdoor inside the memory. PowerTrash Loader is a heavily obfuscated PowerShell script that has 40,000 lines of code.
Besides the above-mentioned vulnerability, VMware Workspace ONE Access is exposed to CVE-2022-22957 and CVE-2022-22958 vulnerabilities as well.
Additional insights
Researchers have linked the attacks to Rocket Kitten based on used tactics, techniques, and procedures.
- The attackers were already abusing the vulnerability to launch reverse HTTPS backdoors, mostly Metasploit, Cobalt Strike, or Core Impact beacons.
- Further, with privileged access, these types of attacks can bypass antivirus and endpoint detection and response.
Conclusion
Users of the associated VMWare products should review their VMware architecture to make sure the affected components are not exposed to the internet, which dramatically increases exploitation risks. Further, VMWare’s identity access management users should immediately apply the patches.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_367503779.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/afd1_shutterstock_554858836.jpg)
