Rocket Kitten, an Iranian-linked threat actor, was seen aggressively exploiting a recently patched VMware vulnerability to acquire initial access and deploy the Core Impact penetration testing tool on affected computers.
The significant problem, identified as CVE-2022-22954 (CVSS score: 9.8), is a remote code execution (RCE) vulnerability impacting VMware Workspace ONE Access and Identity Manager.
While the vulnerability was patched by the virtualization services provider on April 6, 2022, the company warned consumers a week later of confirmed exploitation of the weakness in the wild.
"A bad actor leveraging this RCE vulnerability may generate an endless attack surface," Morphisec Labs researchers wrote in a new paper. "This entails having the most privileged access to all components of the virtualized host and guest environment."
The delivery of a PowerShell-based stager, which is then used to download a next-stage payload called PowerTrash Loader, which injects the penetration testing tool Core Impact into memory for subsequent actions, is part of the attack chain leveraging the issue.
"The ubiquitous use of VMWare identity access control combined with the unrestricted remote access provided by our attack is a recipe for severe breaches across businesses," the researchers wrote.
"VMWare clients should additionally check their VMware architecture to ensure that the impacted components are not inadvertently broadcast on the internet, which significantly raises the exploitation risks."
Please do not enter any spam link in the comment box.