Project Hyphae

Critical VMware Vulnerability Being Used to Drop Ransomware and Miners

Share This Post

Critical vulnerability CVE-2022-22954, first publicized in April with a criticality score of 9.8, has been exploited in multiple malware campaigns recently. Fortinet recently published their findings on three of these campaigns, Mirai, RAR1Ransom, and GuardMiner.

The Mirai variant analyzed deploys Denial of Service (DoS) and brute force attacks with pre-configured commonly used passwords, and also some default credentials for well-known IoT devices. The distribution of RAR1Ransom and GuardMiner is achieved by means of a PowerShell or a shell script, depending on the operating system. RAR1ransom is known for leveraging the legitimate “WinRAR” tool to lock files in password-protected archives, essentially ransoming their victims. Meanwhile, GuardMiner is a cross-platform mining Trojan, which has been active for at least two years and can harvest system resources to mine crypto-currency.

VMware patched this vulnerability in April, yet active exploitation is still underway in the wild. It is imperative that your organization’s infrastructure is patched regularly and on the lookout for any suspicious processes in the environment.

The original vulnerability is tracked here:
To read Fortinet’s report on these recent campaigns, visit:

Reach out to our incident response team for help

More To Explore

Information Security News 11-27-2023

East Texas Hospital Network Can’t Receive Ambulances Because of Potential Cybersecurity Incident Article Link: Canadian Government Discloses Data Breach After Contractor Hacks Article Link:

Information Security News 11-20-2023

PJ&A Says Cyberattack Exposed Data of Nearly 9 Million Patients Article Link: Google Workspace Weaknesses Allow Plaintext Password Theft Article Link: New York

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.