Hackers exploit critical VMware flaw to drop ransomware & miners

[PawGo]

Anyone using VMware Workspace ONE Access? Check if you use a patched version (CVE-2022-22954). Otherwise, maybe you mine Monero for someone.

Researchers at cybersecurity company Fortinet noticed in the newest campaigns that the threat actors deployed the Mira botnet for distributed denial-of-service (DDoS) attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.
One interesting case is a pair of Bash and PowerShell scripts targeting Linux and Windows systems. The scripts fetch a list of files to launch on the compromised machine.
The PowerShell script ("init.ps1") downloads the following files from a Cloudflare IPFS gateway:
phpupdate.exe: Xmrig Monero mining software
config.json: Configuration file for mining pools
networkmanager.exe: Executable used to scan and spread infection
phpguard.exe: Executable used for guardian Xmrig miner to keep running
clean.bat: Script file to remove other cryptominers on the compromised host

More details: https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmware-flaw-to-drop-ransomware-miners/

[1715207087]

1715207087

[1715207087]

1715207087

[1715207087]

1715207087

[NeuroticFish]

I did quick research and it looks like it's enterprise/company software. I doubt anyone use this software, unless it's used by company where they work.

I've used in the past some VMWare enterprise solution for working from home, but that was years ago and I don't remember whether it was Workspace ONE or not.
So it's reasonable to think that there may be bitcoiners affected by the exploit.

On the other hand, it was advised many times that one should keep at hand an app that shows how much CPU is being used and check that now and then, to avoid surprises.
Thanks for the info, OP.