Threat actors are actively exploiting a now-patched vulnerability, tracked as CVE-2022-22954, in VMware Workspace ONE Access to deliver cryptocurrency miners and ransomware.
The issue causes server-side template injection due to because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. An attacker can trigger the vulnerability to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager.
Fortinet FortiGuard Labs researchers observed attacks in the wild primarily aimed at stealing sensitive data. In August, the experts detected a few particular payloads used to deploy Mirai samples targeting exposed networking devices running Linux. The Mirai variant involved in the attacks was used to launch DoS and brute force attacks.
Other payloads were used to deliver RAR1ransom and the GuardMiner cryptominer, which is a variant of xmrig. The RAR1Ransom and GuardMiner malware were distributed by using PowerShell or a shell script depending on the operating system.
