Threat actors are exploiting a now-patched vulnerability in VMware Workspace ONE Access to deliver cryptocurrency miners and ransomware. The issue concerns a remote code execution vulnerability that stems from a case of server-side template injection.
Researchers at cybersecurity company Fortinet noticed in the newest campaigns that the threat actors deployed the Mira botnet for distributed denial-of-service (DDoS) attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.
The attacker intends to utilize a victim’s resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency. RAR1Ransom is a simple ransomware tool that uses WinRAR to compress the victim's files and lock them with a password.
According to Fortinet, the threat actor uses the same Monero address in the ransom note to mine cryptocurrency on compromised Windows or Linux hosts using GuardMiner. In the variant used in the recent attacks, GuardMiner can spread to other hosts via the “networkmanager.exe” module by fetching and using exploits from a security-testing GitHub repository.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.