When it comes to abusing a known flaw in VMware Workspace One Access, threat actors have decided to up their ante, bringing ransomware into the mix.
A report from Fortinet, which observed the change in attacks in August this year, noted a new flaw in VMware’s product – a remote code execution vulnerability due to server-side template injection.
The flaw was tracked as CVE-2022-22954, and it was quickly discovered that a known threat actor – APT35 (AKA Rocket Kitten) was using it. A month later, EnemyBot jumped on the bandwagon, too. Different threat actors were abusing the flaw to deploy the Mira botnet for DDoS attacks, or GuardMiner to mine cryptocurrencies for the attackers.
Enter RAR1Ransom
Now, Fortinet observed the flaw being used to deploy the RAR1Ransom tool. BleepingComputer describes it as a “simple ransomware (opens in new tab) tool” that abuses WinRAR to compress the victim’s files and lock them with a password. Once it completes the task, it gives all locked files the .rar1 extension. To obtain the password, victims need to pay 2 XMR – or roughly $290.
It’s worth mentioning that this is not a “classic” ransomware variant, as it doesn’t actually encrypt the files – it just locks them in a password-protected archive.
Fortinet has also found that the XMR address to which victims need to pay is the same as the one used in GuardMiner.
VMware fixed the remote code execution vulnerability months ago, but it seems that some organizations are yet to patch up their endpoints, staying vulnerable to a growing set of attacks. It fixed the flaw together with a couple of other vulnerabilities in April, and urged its users not to satisfy with the workaround it provided at the time:
“Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not,” the company warned. “While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this issue.”
Via: BleepingComputer (opens in new tab)
