{"uuid": "094cbc0b-7c28-4a0c-9953-a97b417e4576", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-22954", "type": "exploited", "source": "https://t.me/ShizoPrivacy/409", "content": "|Hackers exploit critical VMware RCE|\n\n\ud83d\udd25\u0412 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0435 \u043f\u043e\u0441\u0442\u0430 \u043f\u0440\u043e CVE-2022-22954 \u0445\u043e\u0447\u0443 \u043f\u043e\u0434\u0435\u043b\u0438\u0442\u044c\u0441\u044f \u0435\u0449\u0451 \u043e\u0434\u043d\u043e\u0439 \u0441\u0441\u044b\u043b\u043a\u043e\u0439 \u043d\u0430 \u0441\u0442\u0430\u0442\u044c\u044e \u043e\u0442 bleepingcomputer \u043f\u0440\u043e \u0430\u0442\u0430\u043a\u0438 \u043e\u0442 \u0438\u0440\u0430\u043d\u0441\u043a\u043e\u0439 APT35(Rocket Kitten). \u041f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u044d\u0442\u043e\u0439 CVE \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0441\u0440\u0435\u0434\u0435, \u0434\u0430\u043b\u0435\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u044e\u0442\u0441\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u044b PS \u043d\u0430 \u0430\u0442\u0430\u043a\u0443\u0435\u043c\u043e\u043c \u0441\u043b\u0443\u0436\u0431\u0435(Identity Manager), \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u044e\u0449\u0438\u0435 stager. \u0414\u0430\u043b\u0435\u0435 PowerShell stager \u0438\u0437\u0432\u043b\u0435\u043a\u0430\u0435\u0442 \u043b\u043e\u0430\u0434\u0435\u0440 PowerTrash \u0441 C2 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0432 \u0432\u044b\u0441\u043a\u043e\u043e\u0431\u0444\u0443\u0441\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0444\u043e\u0440\u043c\u0435 \u0438 \u0437\u0430\u0433\u0440\u0443\u0436\u0430\u0435\u0442 Core Impact \u0430\u0433\u0435\u043d\u0442 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u0443\u044e \u043f\u0430\u043c\u044f\u0442\u044c.\n\u041f\u0440\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435 \u0432 \u0442\u0430\u043a\u043e\u0439 \u0430\u0442\u0430\u043a\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u0435\u043d \u0431\u0430\u0439\u043f\u0430\u0441\u0441 AV \u0438 EDR. \n\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u0435\u0435 \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u0447\u0438\u0442\u0430\u0442\u044c \u0432 \u0441\u0442\u0430\u0442\u044c\u0435.\n\n\ud83d\udca5\u0412\u043e\u0442 \u0435\u0449\u0451 \u0440\u0430\u0437\u0431\u043e\u0440(\u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u044b\u0439).\n\ud83d\udca5\u0421\u0432\u0435\u0436\u0430\u044f \u0441\u0442\u0430\u0442\u044c\u044f \u043f\u0440\u043e CVE-2022-22954\n\n\ud83d\udd25In continuation of the post about CVE-2022-22954 I want to share another link to an article from bleepingcomputer about attacks from the Iranian APT35(Rocket Kitten). Through this CVE, access to the environment occurs, then PS commands are executed on the attacked service (Identity Manager), launching the stager. Next, PowerShell stager extracts the PowerTrash\n loader from the C2 server in a highly-obfuscated form and loads the Core Impact agent into the system memory.\nWith privileged access, AV and EDR bypass is possible in such an attack.\nYou can read more in the article.\n\n\ud83d\udca5Here is another analysis (more detailed).\n\ud83d\udca5Recent article about CVE-2022-22954\n\n#cve #EDR #av #bypass #VMware", "creation_timestamp": "2022-05-03T10:55:18.000000Z"}