HomeTechnologyNewsHackers take advantage of critical VMware RCE flaw to install backdoors

Hackers take advantage of critical VMware RCE flaw to install backdoors

Advanced hackers are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2022-22954, affecting VMware Workspace ONE Access (formerly called VMware Identity Manager).

The issue was fixed in a security update 20 days ago along with two more RCEs: CVE-2022-22957 and CVE-2022-22958 also affecting VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

Shortly after the public disclosure of the flaws, proof-of-concept (PoC) exploit code emerged in the public domain, allowing hackers to take advantage of vulnerable implementations of VMware products. VMware confirmed the exploitation of CVE-2022-22954 in the wild.

Now, Morphisec researchers report seeing exploitation by advanced persistent threat (APT) actors, in particular an Iranian hacking group tracked as APT35, also known as “Rocket Kitten.”

attack details

Adversaries gain initial access to the environment by exploiting CVE-2022-22954, the only one in the trio of RCEs that does not require administrative access to the target server and also has a publicly available PoC exploit.

The attack begins by running a PowerShell command on the vulnerable service (Identity Manager), which starts a stage.

The host then fetches the PowerTrash loader from the command and control (C2) server in a highly obfuscated form and loads a Core Impact agent into system memory.

The APT35 Attack Flow
The APT35 Attack Flow (Morphisec)

Core Impact is a legitimate penetration testing tool that is abused for nefarious purposes in this case, similar to how Cobalt Strike is implemented in malicious campaigns.

However, this is not a new item. Trend Micro has reported abuse of Core Impact in the past by APT35, the activity dating back to 2015.

“Morphisec research noted that attackers were already exploiting this vulnerability (CVE-2022-22954) to launch reverse HTTPS backdoors, primarily Cobalt Strike, Metasploit, or Core Impact beacons” – Morphisec

Morphisec CTO Michael Gorelik told BleepingComputer that the attacker attempted a lateral move on the network, although the backdoor was stopped.

“With privileged access, these types of attacks can bypass typical defenses, including antivirus (AV) and endpoint detection and response (EDR),” Morphisec adds in the report.

Links to hosting company

Morphisec was able to retrieve the C2 address of the stage server, the version of the Core Impact client, and the 256-bit encryption key used for C2 communication, ultimately linking the operation to a specific person named Ivan Neculiti.

There’s an entry in the ‘Hucksters’ fraud exposure database by that name, which lists corporate entities registered in Moldova, Russia, and the UK, including a hosting company that the database says supports all sorts of of illegal websites, as well as spam and phishing campaigns

It is unclear whether Neculiti or associated companies were in any way involved, knowingly or unknowingly, in cybercriminal campaigns.

BleepingComputer has contacted both hosting companies for comment on the allegations made in the Morphisec report, and we’ll update this post if we hear back.

Must Read

%d bloggers like this: