New Malware Created to Exploit Critical VMware Vulnerability - Cyber and Fraud Centre

Affected Systems: VMware Workspace ONE Access and Identity Manager

Security researchers at Fortinet have released an article on a new form of malware seen exploiting a critical vulnerability, CVE-2022-22954, in VMware Workspace One. VMware created a patch for the vulnerability in April and detailed workarounds in a security advisory; however, many unpatched systems alongside publicly available proof-of-concept exploits have led to threat actors creating malware specialised in targeting vulnerable VMware systems. The Fortinet article details three malware campaigns exploiting the vulnerability, Mirai, RAR1Ransom, and GuardMiner.

The Mirai variant, originating from the Mirai botnet, is mainly designed to deploy denial-of-service (DoS) and brute-force attacks. The malware contains commonly used passwords and default credentials for well-known internet-of-things (IoT) devices.

Two malware variants, RAR1Ransom and GuardMiner, were deployed together. Once the malware has been initialised, it first releases the RAR1Ransom before deploying GuardMiner, a cross-platform cryptocurrency mining trojan. GuardMiner also has the capability to download and exploit multiple other vulnerabilities other than CVE-2022-22954.

Researchers were able to tell that the threat actor deploying RAR1 and GuardMiner intended to utilise as much of the victim’s resources as possible for generating cryptocurrency, as the crypto wallet string within the ransom note for RAR1 is identical to the one found within GuardMiner. The ransom note from RAR1 asks for a payment of 2 Monero (XMR) coins, the equivalent of around £260 at the time of writing.

*The ransom note from RAR1Ransome. Source:* *https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability*

Fortinet’s full article on the malware variants can be found here.

Preventions:

The malware variants detailed above target systems that are still vulnerable to CVE-2022-22954, which VMware patched in April 2022. Updating your VMware systems to the latest version will fix the vulnerability. VMware has posted an article containing advice on patching the affected systems, as well as an article describing the issues found, the exact system versions that the vulnerabilities affect, links to the fixed versions, and workarounds if you are unable to patch your VMware products.

Malware can pose a significant risk to individual devices, business networks, and services. Some types of malware are designed to look for other devices connected to the network of the host device to infect. This may be not only laptops and PCs but also servers and internet-of-things devices. An infected device brought into a work environment can pose a significant security risk and allow malicious users into your network.

To protect your organisation against malware:

Ensure that a system administrator must approve any new software before being downloaded
Keep your antivirus turned on and updated on all company devices
Regularly check that all your devices and software are on the latest updates
Limit the use of USB drives within your organisation. This can be done by blocking access to physical USB ports to most users, as well as by only allowing approved drives to be used with your organisation’s devices (and nowhere else)
Raise awareness about the dangers of malware and where it can originate from, such as from phishing emails or malicious or compromised websites.
Use a non-administrator account for day-to-day activities – only use admin accounts for administrative purposes on your network

https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability – Published 20th October

https://core.vmware.com/vmsa-2022-0011-questions-answers-faq#section1 – Published 6^th April

24.10.22

Threat Intelligence Alerts