VMware vulnerability exploited for Rocket Kitten attacks

Iranian threat actor Rocket Kitten has been distributing the Core Impact penetration testing tool by exploiting a remote code execution flaw in VMware Workspace ONE Access and Identity Manager, which was already addressed by VMware early this month, The Hacker News reports. Abusing the vulnerability, tracked as CVE-2022-22954, could help attackers obtain "an unlimited attack surface," indicating the highest privileged access to any virtualized host and guest environment components, according to a Morphisec report. Researchers noted the Rocket Kitten has been delivering a PowerShell-based stager leveraged for the next-stage PowerTrash Loader that is then used to inject the Core Impact pen testing tool for future activity. "The widespread use of VMWare identity access management combined with the unfettered remote access this attack provides is a recipe for devastating breaches across industries... VMWare customers should also review their VMware architecture to ensure the affected components are not accidentally published on the internet, which dramatically increases the exploitation risks," said researchers.