This attack turned around remarkably fast: Workspace ONE Access provides multi-factor authentication, conditional access, and single sign-on to SaaS, web, and native mobile apps. A malicious actor with network access can use this vulnerability to achieve full remote code execution against VMware’s identity access management. As part of the attack chain, Morphisec has identified and prevented PowerShell commands executed as child processes to the legitimate Tomcat prunsrv.exe process application. This new vulnerability is a server-side template injection that affects an Apache Tomcat component, and as a result, the malicious command is executed on the hosting server. Affected firms face significant security breaches, ransom, brand damage, and lawsuits. This means highest privileged access into any components of the virtualized host and guest environment. A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface. VMWare is a $30 billion cloud computing and virtualization platform used by 500,000 organizations worldwide. The tactics, techniques, and procedures used in the attack are common among groups such as the Iranian linked Rocket Kitten.
Due to indicators of a sophisticated Core Impact backdoor, Morphisec believes advanced persistent threat (APT) groups are behind these VMWare identity manager attack events. BleepingComputer reports similar attempts have been seen in the wild. On April 14 and 15, Morphisec identified exploitation attempts for a week-old VMware Workspace ONE Access (formerly VMware Identity Manager) remote code execution (RCE) vulnerability. Morphisec is a world leader in preventing evasive polymorphic threats launched from zero-day exploits.
0 kommentar(er)
