Multiple malware campaigns have been exploiting the already-addressed VMware Workspace ONE Access flaw, tracked as CVE-2022-22954, to facilitate the ransomware and cryptominer distribution, The Hacker News reports.
Attackers have begun attacks leveraging the flaw in August to enable Mirai botnet deployment on systems running on Linux, according to a report from Fortinet. Mirai would then allow brute-force attacks and denial-of-service attacks against IoT devices.
Meanwhile, a PowerShell or shell script enables the delivery of RAR1Ransom and the XMRig Monero miner variant GuardMiner. WinRAR is being used by RAR1Ransom for locking files within password-protected archives, while GuardMiner abuses other remote code execution exploits in Atlassian Confluence, Apache Struts, and Spring Cloud Gateway, the report noted.
The findings also suggest the need to immediately remediate security vulnerabilities.
"The attacker intends to utilize a victim's resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," said Fortinet FortiGuard Labs researcher Cara Lin.