An Iranian cyber espionage group that some vendors track as Rocket Kitten has begun exploiting a recently patched critical vulnerability in VMware Workspace ONE Access/Identity Manager technology to deliver the Core Impact penetration testing tool on vulnerable systems.
VMware disclosed the remote code execution vulnerability (CVE-2022-22954) on April 6, the same time it released a patch for the issue along with fixes for a total of seven other — somewhat less critical — vulnerabilities that were privately reported to the company. VMware identified the RCE vulnerability as a server-side template injection issue that could be used for remote code execution. The software vendor assigned it a severity ranking of 9.8 on a scale of 10 because the flaw, among other things, allows attackers to gain the highest privileged access in compromised environments.
Days after the flaw was disclosed, proof-of-exploit code for it became publicly available on Twitter. Shortly thereafter, threat actors reportedly began attacking the flaw to install cryptocurrency coin miners on vulnerable servers.
Among those that began exploiting the flaw on Apr. 14 and 15 were attackers who used it to gain access to vulnerable networks and launch reverse HTTPS backdoors such as Core Impact, Cobalt Strike, and Metasploit beacons, Morphisec said in a report Monday. The tactics, techniques and procedures of the attackers suggested a link to Rocket Kitten, the security vendor said.
"Many groups appear to be exploiting this vulnerability, but there are not many groups deploying stolen Core Impact implants," says Michael Gorelik, CTO and head of threat research at Morphisec. "The US customer that we saw targeted here is one that has an outreach to many US customers. Unfortunately, we can't share any more details on that currently."
Morphisec has approached Core Security to validate the existence of the watermark within the implant, he says.
The presence of the Core Impact backdoor on the targeted network, he says, is an indication that an APT group was behind it, simply because of how rarely the backdoor has been used by others.
Morphisec described the new vulnerability as a server-side template injection in an Apache Tomcat component of VMware's Workspace ONE Access/Identity Manager that allows remote commands to be executed on the hosting server. The flaw greatly heightens the risk of ransomware attacks and significant security breaches for organizations using the vulnerable technology, the security vendor said.
VMware Workspace ONE Access was previously known as VMware Identity Manager. The technology is designed to give enterprises a way to quickly implement multifactor authentication, single sign-on, and conditional access policies for workers attempting to access enterprise SaaS, mobile, and Web application environments. "It is an identity provider and manager," Gorelik says. "It has access to all the organizational users and acts as access control to the environment."
Morphisec said several vulnerabilities have been disclosed in the VMware technology recently, including two other RCE flaws, CVE-2022-22958 and CVE-2022-22957. While both of these flaws are remotely executable, the attacker would need to have gained administrative access to the vulnerable server first. However, the new flaw from earlier this month does not require attackers to have this level of access to exploit it, Morphisec said.
PowerShell in the Mix
In the attack that Morphisec observed, the attacker — after gaining initial access to the vulnerable system — deployed a PowerShell stager on it that in turn downloaded a highly obfuscated PowerShell script called PowerTrash Loader. The loader then loaded a Core Impact agent in system memory without leaving a trace of forensic evidence.
Gorelik says Morphisec researchers have previously observed APT groups such as Russia's FIN7 use PowerTrash Loader to upload remote-access Trojans such as JSSLoader on target systems in other campaigns.
"The PowerShell command is executed as a direct command sent through server-side template injection," Gorelik says. "The command is an obfuscated PowerTrash downloader that eventually deployed the Core Impact backdoor."
Organizations that implement VMware's patch for the flaw should be protected against it, he says. VMware's advisory noted the flaw is being actively exploited and pointed to workarounds for mitigating the threat for organizations that are not able to immediately patch against it.