Iranian Hacking Group Among Those Exploiting Recently Disclosed VMware RCE Flaw

Threat actor is using the flaw to deliver Core Impact backdoor on vulnerable systems, security vendor says.

An Iranian cyber espionage group that some vendors track as Rocket Kitten has begun exploiting a recently patched critical vulnerability in VMware Workspace ONE Access/Identity Manager technology to deliver the Core Impact penetration testing tool on vulnerable systems.
VMware disclosed the
remote code execution vulnerability
(CVE-2022-22954) on April 6, the same time it released a patch for the issue along with fixes for a total of seven other — somewhat less critical — vulnerabilities that were privately reported to the company. VMware identified the RCE vulnerability as a server-side template injection issue that could be used for remote code execution. The software vendor assigned it a severity ranking of 9.8 on a scale of 10 because the flaw, among other things, allows attackers to gain the highest privileged access in compromised environments.
Days after the flaw was disclosed, proof-of-exploit code for it became publicly available on Twitter. Shortly thereafter, threat actors
reportedly began attacking
the flaw to install cryptocurrency coin miners on vulnerable servers.
Among those that began exploiting the flaw on Apr. 14 and 15 were attackers who used it to gain access to vulnerable networks and launch reverse HTTPS backdoors such as Core Impact, Cobalt Strike, and Metasploit beacons, Morphisec said in a report Monday. The tactics, techniques and procedures of the attackers
suggested a link
to Rocket Kitten, the security vendor said.

Many groups appear to be exploiting
this vulnerability, but there are not many groups deploying stolen Core Impact implants, says Michael Gorelik, CTO and head of threat research at Morphisec. The US customer that we saw targeted here is one that has an outreach to many US customers. Unfortunately, we cant share any more details on that currently.
Morphisec has approached Core Security to validate the existence of the watermark within the implant, he says.
The presence of the Core Impact backdoor on the targeted network, he says, is an indication that an APT group was behind it, simply because of how rarely the backdoor has been used by others.
Ransomware Risk
Morphisec described the new vulnerability as a server-side template injection in an Apache Tomcat component of VMwares Workspace ONE Access/Identity Manager that allows remote commands to be executed on the hosting server. The flaw greatly heightens the risk of ransomware attacks and significant security breaches for organizations using the vulnerable technology, the security vendor said.
VMware Workspace ONE Access was previously known as VMware Identity Manager. The technology is designed to give enterprises a way to quickly implement multifactor authentication, single sign-on, and conditional access policies for workers attempting to access enterprise SaaS, mobile, and Web application environments. It is an identity provider and manager, Gorelik says. It has access to all the organizational users and acts as access control to the environment.
Morphisec said several vulnerabilities have been disclosed in the VMware technology recently, including two other RCE flaws,
CVE-2022-22958
and
CVE-2022-22957
. While both of these flaws are remotely executable, the attacker would need to have gained administrative access to the vulnerable server first. However, the new flaw from earlier this month does not require attackers to have this level of access to exploit it, Morphisec said.
PowerShell in the Mix
In the attack that Morphisec observed, the attacker — after gaining initial access to the vulnerable system — deployed a PowerShell stager on it that in turn downloaded a highly obfuscated PowerShell script called PowerTrash Loader. The loader then loaded a Core Impact agent in system memory without leaving a trace of forensic evidence.
Gorelik says Morphisec researchers have previously observed APT groups such as Russias FIN7 use PowerTrash Loader to upload remote-access Trojans such as JSSLoader on target systems in other campaigns.
The PowerShell command is executed as a direct command sent through server-side template injection, Gorelik says. The command is an obfuscated PowerTrash downloader that eventually deployed the Core Impact backdoor.
Organizations that implement VMwares patch for the flaw should be protected against it, he says. VMwares advisory noted the flaw is being actively exploited and pointed to workarounds for mitigating the threat for organizations that are not able to immediately patch against it.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Iranian Hacking Group Among Those Exploiting Recently Disclosed VMware RCE Flaw