Wednesday, April 27, 2022

Iranian Rocket Kitten hacking group 😾 using CVE-2022-22954 to install new back door !! 🚪🚪


VMWare One now has NEW RCE Vulnerability! 

Morphisec Labs reports that Rocket Kitten an Iranian hacking group believed to be backed by the regime is installing new sophisticated backdoors on victims machines using a RCE vulnerability recently discovered in VMWare Workspace ONE. 😡

This Remote Code Execution (RCE) is registered  as CVE-2022-22954  and affects VMware Workspace ONE. It has a critical 9.8 severity and revolves around a server-side template injection on a Apache Tomcat component that can lead to a complete RCE. An attack that exploits this RCE vulnerability gives them a high level of attack surface and highest privileges possible and can render Antivirus systems useless. 

VMWare Workspace ONE  Architecture

An attack has been observed by Iranian group Rocket Kitten sending PowerShell "stager" commands executed as child processes to prunsrv.exe legitimate application in Tomcat. This PowerShell stager then launches a malicious loader called PowerTrash - which is a notorious PowerShell script.  If this is set up victims with Ransomware on their devices or attackers can move lateral through a network, Gain further privileges through Privilege Escalation - or worse - launch HTTPS reverse backdoors using Metasploit or Cobalt Strike!!😢

PowerTrash - a notorious PowerShell Script! 

Please patch this VMWare vulnerability ASAP Friends! I will investigate Rocket Kitten further! 🧐🙏 

No comments:

Post a Comment