• Language chooser
    • USA (English)
    • France (Français)

VMware Workspace ONE Attack

Released: Oct 26, 2022


High Severity

VMware Vendor

Attack Type

Multiple malware campaigns targeting VMware vulnerability.

Fortinet researchers observed VMware vulnerability (CVE-2022-22954) being exploited in the wild and leveraged to deliver multiple malware payloads such as cryptocurrency miners and ransomware on the affected machines. During August 2022, more than 50,000 devices were seen in attack attempts trying to exploit this vulnerability. Learn More »

Common Vulnerabilities and Exposures

CVE-2022-22954

Background

VMware published a security advisory on April 2022 a CVE-2022-22954 vulnerability on their products VMware Workspace ONE Access, Identity Manager and vRealize Automation. A week later, VMware updated their advisory that CVE-2022-22954 is being exploited in the wild. https://www.vmware.com/security/advisories/VMSA-2022-0011.html

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


In April, 2022, Fortiguard labs added protections throughout the Security Fabric to block any attack attempts and are actively monitoring ever evolving malware distribution leveraging the VMware vulnerability CVE-2022-22954. User are advised to patch vulnerable versions as per the vendor's recommendations.


October 20, 2022, Fortinet researcher posted a blog elaborating exploitation of the VMware vulnerability and installation of the malware. https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
DETECT
RESPOND
  • Assisted Response Services

  • Automated Response

RECOVER
  • InfoSec Services

IDENTIFY
  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
193.56.28.202 ip Active
178.176.202.121 ip Active
45.144.179.204 ip Active
135.148.91.146 ip Active
goodpackets.cc domain Active
106.246.224.219 ip Active
160.20.145.225 ip Active
http://51.81.133.91/FKKK/NW_BBB.x86 url Active
51.81.133.91 ip Active
198.46.189.105 ip Active
http://198.46.189.105/Ugliest.x86 url Active
http://185.157.160.214/xms url Active
185.157.160.214 ip Active
103.64.13.51 ip Active
103.64.13.51:8452 ip Active
http://106.246.224.219/one url Active
746ffc3bb7fbe4ad229af1ed9b6e1db314880c0f9cb55ae... file Active
7bc14d231c92eeeb58197c9fca5c8d029d7e5cf9fbfe257... file Active
http://138.124.184.220/work_443.bin_m2.ps1 url Active
138.124.184.220 ip Active
185.117.90.187 ip Active
80.94.92.38 ip Active
135.148.91.146:1980 ip Active
202.28.229.174 ip Active
http://202.28.229.174/so.txt url Active
136.243.75.136 ip Active
193.56.28.202:443 ip Active
193.56.28.202:444 ip Active
45.144.179.204:9999 ip Active
48628ca95608a015f47506eb1dc6fad0cd04a4cf5d44fdb... file Active
6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea... file Active
7e29615126585b9f87ded09cfae4724bb5d7896c7daf2ad... file Active
801b23bffa65facee1da69bc6f72f8e1e4e1aeefc63dfd3... file Active
85143ecc41fb6aadd822ed2d6f20c721a83ae1088f406f2... file Active
940a674cfe8179b2b8964bf408037e0e5a5ab7e47354fe4... file Active
c399b56e1baf063ca2c8aadbbe4a2b58141916aac8ef790... file Active
fdc94d0dedf6e53dd435d2b5eacb4c34923fadee50529db... file Active
http://103.43.18.15:8089/13.jsp url Active
http://103.64.13.51:8452/cnm url Active
http://107.148.12.162:12345/log url Active
http://107.148.13.247:7777/file url Active
http://107.148.13.247/4file url Active
http://107.148.13.247/error.txt url Active
http://107.191.43.86/start url Active
http://113.185.0.244/wls-wsat/root url Active
http://135.148.91.146:1980/bins.sh url Active
http://138.68.61.82:444/ url Active
http://192.3.1.223/favicon.ico url Active
http://193.56.28.202/.d/bot.redis url Active
http://193.56.28.202/.d/bot.v url Active
http://193.56.28.202/.d/botVNC url Active
http://20.205.61.88/payllll.sh url Active
http://45.144.179.204:9999/log url Active
http://80.94.92.38/folder/enemybotarm64/ url Active
http://80.94.92.38/folder/enemybotx64/ url Active
http://80.94.92.38/folder/enemybotx86/ url Active
https://129.226.227.246/help.txt url Active
https://20.232.97.189/up/388e6567d5.sh url Active
https://20.232.97.189/up/4102909932.sh url Active
https://20.232.97.189/up/d1bea27b13.sh url Active
101.42.89.186 ip Active
101.42.89.186:1234 ip Active
103.43.18.15 ip Active
103.43.18.15:8089 ip Active
107.148.12.162 ip Active
107.148.12.162:12345 ip Active
107.148.13.247 ip Active
107.148.13.247:7777 ip Active
113.185.0.244 ip Active
129.226.227.246 ip Active
138.68.61.82 ip Active
138.68.61.82:444 ip Active
20.205.61.88 ip Active
20.232.97.189 ip Active
45.149.77.39 ip Active
45.149.77.39:80 ip Active
5.39.217.212 ip Active
5.39.217.212:80 ip Active
64.32.6.143 ip Active
64.32.6.143:80 ip Active
enlib2w9g8mze.x.pipedream.net domain Active
https://enlib2w9g8mze.x.pipedream.net/ url Active
https://tmpfiles.org/dl/262822/a.txt url Active
https://tmpfiles.org/dl/262853/vmware_log.jsp url Active
https://tmpfiles.org/dl/265326/cmd.jsp url Active
https://tmpfiles.org/dl/265351/shell.py url Active
https://tmpfiles.org/dl/265385/xmrigdaemon url Active
https://tmpfiles.org/dl/266116/vmware_log.jsp url Active
4cd8366345ad4068feca4d417738b4bd file Active
5b0bfda04a1e0d8dcb02556dc4e56e6a file Active
c509282c94b504129ac6ef168a3f08a8 file Active
dc88c5fe715b5f706f9fb92547da948a file Active
f8ff5c72e8ffa2112b01802113148bd1 file Active
http://84.38.133.149/img/icon.gif url Active
http://84.38.133.149/img/icon1.gif url Active
https://20.232.97.189/up/80b6ae2cea.sh url Active
https://github.com/kost/revsocks/releases/downl... url Active
100.14.239.83 ip Active
100.14.239.83:5410 ip Active
115.167.53.141 ip Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0