Critical vulnerability CVE-2022-22954, first publicized in April with a criticality score of 9.8, has been exploited in multiple malware campaigns recently. Fortinet recently published their findings on three of these campaigns, Mirai, RAR1Ransom, and GuardMiner.
The Mirai variant analyzed deploys Denial of Service (DoS) and brute force attacks with pre-configured commonly used passwords, and also some default credentials for well-known IoT devices. The distribution of RAR1Ransom and GuardMiner is achieved by means of a PowerShell or a shell script, depending on the operating system. RAR1ransom is known for leveraging the legitimate “WinRAR” tool to lock files in password-protected archives, essentially ransoming their victims. Meanwhile, GuardMiner is a cross-platform mining Trojan, which has been active for at least two years and can harvest system resources to mine crypto-currency.
VMware patched this vulnerability in April, yet active exploitation is still underway in the wild. It is imperative that your organization’s infrastructure is patched regularly and on the lookout for any suspicious processes in the environment.
The original vulnerability is tracked here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22954
To read Fortinet’s report on these recent campaigns, visit: https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability