When it comes to abusing a known flaw in VMware Workspace One Access, threat actors decided to up the ante by introducing ransomware into the mix.
A Fortinet report, which looked at the evolution of the attacks in August this year, pointed to a new flaw in the VMware product: a remote code execution vulnerability due to server-side pattern injection.
The flaw was identified as CVE-2022-22954, and it was soon discovered that a known threat actor, APT35 (also known as Rocket Kitten), was using it. A month later, EnemyBot also jumped on the bandwagon. Various threat actors were abusing the flaw to implement the Mira botnet for DDoS attacks, or GuardMiner to mine cryptocurrency for attackers.
Enter RAR1 Ransom
Now, Fortinet has noted that the flaw is used to implement the RAR1Ransom tool. BleepingComputer describes it as a "simple ransomware tool (opens in a new tab)" that abuses WinRAR to compress the victim's files and lock them with a password. After the task is complete, it gives all locked files the extension .rar1. To get the password, victims have to pay 2 XMR, which is around €290.
It should be noted that this is not a "classic" ransomware variant, as it does not actually encrypt your files, it just locks them in a password-protected file.
Fortinet also discovered that the XMR address victims have to pay to is the same one used in GuardMiner.
VMware patched the remote code execution vulnerability months ago, but it appears that some organizations still haven't patched their endpoints and remain vulnerable to a growing set of attacks. It patched the flaw along with a few other vulnerabilities in April and urged its users not to settle for the fix provided at the time:
"Workarounds, while practical, do not eliminate vulnerabilities and may introduce additional complexities that patches would not introduce," the company warned. "While the decision to patch or use the workaround is yours, VMware still strongly recommends patching as the easiest and most reliable way to resolve this issue."
Via: BleepingComputer (Opens in a new tab)