![]() ![]() Morphisec Labs has analyzed this new attack in detail below. With privileged access, these types of attacks may be able to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR). Morphisec research observed attackers already exploiting this vulnerability to launch reverse HTTPS backdoors-mainly Cobalt Strike, Metasploit, or Core Impact beacons. On April 13 exploits were identified in the wildĪdversaries can use this attack to deploy ransomware or coin miners, as part of their initial access, lateral movement, or privilege escalation.On April 11 a proof of concept for the attack appeared.A patch for the initial vulnerability was released on April 6.This attack turned around remarkably fast: Workspace ONE Access provides multi-factor authentication, conditional access, and single sign-on to SaaS, web, and native mobile apps. A malicious actor with network access can use this vulnerability to achieve full remote code execution against VMware’s identity access management. As part of the attack chain, Morphisec has identified and prevented PowerShell commands executed as child processes to the legitimate Tomcat prunsrv.exe process application. This new vulnerability is a server-side template injection that affects an Apache Tomcat component, and as a result, the malicious command is executed on the hosting server. Affected firms face significant security breaches, ransom, brand damage, and lawsuits. This means highest privileged access into any components of the virtualized host and guest environment. A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface. VMWare is a $30 billion cloud computing and virtualization platform used by 500,000 organizations worldwide. ![]() The tactics, techniques, and procedures used in the attack are common among groups such as the Iranian linked Rocket Kitten. Due to indicators of a sophisticated Core Impact backdoor, Morphisec believes advanced persistent threat (APT) groups are behind these VMWare identity manager attack events. BleepingComputer reports similar attempts have been seen in the wild. ![]() On April 14 and 15, Morphisec identified exploitation attempts for a week-old VMware Workspace ONE Access (formerly VMware Identity Manager) remote code execution (RCE) vulnerability. Morphisec is a world leader in preventing evasive polymorphic threats launched from zero-day exploits. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |