Russian hackers are exploiting critical VMware flaws

The vulnerabilities were patched last week, but the NSA has uncovered details of active exploitation

Abstract silhouette of a computer hacker in front of a Russian flag

State-backed Russian cyber criminals are actively exploiting a recently-patched vulnerability in a series of VMware products in order to access sensitive corporate data.

VMware had previously warned its customers about a critical command injection flaw in a number of its products, including Workspace One Access and Identity Manager in late November. Although the bug was considered severe, with a rating of 9.1 on the CVSS threat severity scale, a patch wasn’t available at the time and was only released on 3 December. 

Hackers operating on behalf of the Russian state, however, have been actively exploiting the vulnerability to access data on targeted systems, according to an advisory issued by the US National Security Agency (NSA).

“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,” the advisory said.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”

Beyond the wider business community, the NSA has stressed the need for organisations involved in national defence and security to apply VMware’s patch as soon as possible, or implement workarounds until updates are feasible. The advisory also suggests that organisations review and harden their configurations as well as the monitoring of federated authentication providers.

Beyond Workspace One Access and Identity Manager, the products affected include Access Connector and Identity Manager Connector, with specific product versions outlined in VMware’s original security advisory.

The vulnerability, tagged CVE-2020-4006, essentially allows hackers to seize control of vulnerable machines. They would first need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

As such the NSA has recommended that network administrators limit the accessibility of the management interface on servers to only a small set of known systems, and block it from direct internet access. Critical portions of this activity can also be blocked by disabling the firm’s configurator service.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021
FBI warns of ongoing corporate vishing attacks
phishing

FBI warns of ongoing corporate vishing attacks

19 Jan 2021
How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021