An Iranian-linked threat actor known as Rocket Kitten has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems.
Tracked as CVE-2022-22954 (CVSS score: 9. 8), the critical issue concerns a case of remote code execution (RCE) vulnerability affecting VMware Workspace ONE Access and Identity Manager.
While the issue was patched by the virtualization services provider on April 6, 2022, the company cautioned users of confirmed exploitation of the flaw occurring in the wild a week later.
“A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface,” researchers from Morphisec Labs said in a new report. “This means highest privileged access into any components of the virtualized host and guest environment. “
Attack chain exploiting this flaw involves the distribution of an HTML-based stager that is used to download the next-stage payload, PowerTrash Loader, and then injects Core Impact into memory for further activities.
” The widespread usage of VMWare’s identity access management, combined with unfettered remote accessibility this attack offers is the recipe for catastrophic breaches across industries,” researchers stated.
“VMWare customers should also review their VMware architecture to ensure the affected components are not accidentally published on the internet, which dramatically increases the exploitation risks. “