1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Known VMware flaw abused to distribute ransomware

    From TechnologyDaily@1337:1/100 to All on Tue Oct 25 16:45:03 2022
    Known VMware flaw abused to distribute ransomware

    Date:
    Tue, 25 Oct 2022 15:15:39 +0000

    Description:
    RAR1Ransom tool added to growing list of threats targeting VMware Workspace One Access.

    FULL STORY ======================================================================

    When it comes to abusing a known flaw in VMware Workspace One Access, threat actors have decided to up their ante, bringing ransomware into the mix.

    A report from Fortinet, which observed the change in attacks in August this year, noted a new flaw in VMwares product - a remote code execution vulnerability due to server-side template injection.

    The flaw was tracked as CVE-2022-22954, and it was quickly discovered that a known threat actor - APT35 (AKA Rocket Kitten) was using it. A month later, EnemyBot jumped on the bandwagon, too. Different threat actors were abusing the flaw to deploy the Mira botnet for DDoS attacks, or GuardMiner to mine cryptocurrencies for the attackers. Enter RAR1Ransom

    Now, Fortinet observed the flaw being used to deploy the RAR1Ransom tool. BleepingComputer describes it as a simple ransomware tool that abuses WinRAR to compress the victims files and lock them with a password. Once it
    completes the task, it gives all locked files the .rar1 extension. To obtain the password, victims need to pay 2 XMR - or roughly $290.

    Its worth mentioning that this is not a classic ransomware variant, as it doesnt actually encrypt the files - it just locks them in a
    password-protected archive. Read more

    Multiple VMware products found to contain critical security flaws


    VMware virtualization software is being hijacked to spy on businesses


    These are the best antivirus tools around

    Fortinet has also found that the XMR address to which victims need to pay is the same as the one used in GuardMiner.

    VMware fixed the remote code execution vulnerability months ago, but it seems that some organizations are yet to patch up their endpoints, staying vulnerable to a growing set of attacks. It fixed the flaw together with a couple of other vulnerabilities in April, and urged its users not to satisfy with the workaround it provided at the time:

    "Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not," the company warned. "While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this issue." Check out the best malware removal tools around

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/known-vmware-flaw-abused-to-distribute-ransomwa re/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)