VMware Workspace ONE Access Vulnerabilities

Industry: N/A | Level: Tactical | Source: Morphisec

On April 14th and 15th, 2022, Morphisec identified the exploitation of vulnerabilities associated with VMware Workspace ONE Access. Out off the three vulnerabilities resulting in potential remote code execution, CVE-2022-22954 was the most critical as it does not require administrative access to the server, while CVE-2022-22957 and CVE-2022-22958 do. The vulnerability is lucrative to threat actors given the adoption of VMWare, and the large attack surface it presents, "Adversaries can use this attack to deploy ransomware or coin miners, as part of their initial access, lateral movement, or privilege escalation. Morphisec research observed attackers already exploiting this vulnerability to launch reverse HTTPS backdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons." The tactics, techniques, and procedures observed in an attack chain for the vulnerability were identified to be similar to Rocket Kitten, an Iranian-based threat actor group. An observed exploit involved compromising the VMWare Identity Manager Service to deploy a PowerShell stager to download a PowerShell script dubbed, PowerTrash loader to push a Core Impact Agent (developed by Core Security as part of a penetration testing framework) into memory.

• Anvilogic Use Case: VMware ONE CVE-2022-22954