Known VMware flaw abused to distribute ransomware

News
By Sead Fadilpašić
published

You can add the RAR1Ransom tool to the list of threats

ID theft
(Image credit: Future)

When it comes to abusing a known flaw in VMware Workspace One Access, threat actors have decided to up their ante, bringing ransomware into the mix. 

A report from Fortinet, which observed the change in attacks in August this year, noted a new flaw in VMware’s product - a remote code execution vulnerability due to server-side template injection.

The flaw was tracked as CVE-2022-22954, and it was quickly discovered that a known threat actor - APT35 (AKA Rocket Kitten) was using it. A month later, EnemyBot jumped on the bandwagon, too. Different threat actors were abusing the flaw to deploy the Mira botnet for DDoS attacks, or GuardMiner to mine cryptocurrencies for the attackers.

Enter RAR1Ransom

Now, Fortinet observed the flaw being used to deploy the RAR1Ransom tool. BleepingComputer describes it as a “simple ransomware tool” that abuses WinRAR to compress the victim’s files and lock them with a password. Once it completes the task, it gives all locked files the .rar1 extension. To obtain the password, victims need to pay 2 XMR - or roughly $290. 

It’s worth mentioning that this is not a “classic” ransomware variant, as it doesn’t actually encrypt the files - it just locks them in a password-protected archive. 

Read more

> Multiple VMware products found to contain critical security flaws

> VMware virtualization software is being hijacked to spy on businesses

> These are the best antivirus tools around

Fortinet has also found that the XMR address to which victims need to pay is the same as the one used in GuardMiner. 

VMware fixed the remote code execution vulnerability months ago, but it seems that some organizations are yet to patch up their endpoints, staying vulnerable to a growing set of attacks. It fixed the flaw together with a couple of other vulnerabilities in April, and urged its users not to satisfy with the workaround it provided at the time:

"Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not," the company warned. "While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this issue."

Via: BleepingComputer

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.