Russian APT Exploiting VMware Vulnerability

8267297470?profile=RESIZE_400xRussian state level hackers have been exploiting a vulnerability found in VMware products including virtual workspaces, this according to a cybersecurity advisory issued last week by the the US based, National Security Agency.

PHOTOGRAPH: YIFEI FANG, GETTY IMAGES

The VMware vulnerability, which is called in CVE-2020-4006 and rated 7.2 on the Common Vulnerability Scoring System (CVSS), was disclosed and patched last week.  According to the NSA advisory, threat actors are using the vulnerability to access protected data and abuse federated authentication.  US government agencies, including the National Security System (NSS), the Department of Defense (DoD), and defense industrial base (DIB) companies, are urging users to apply vendor-provided patches as soon as possible.

The exploited vulnerability affects Windows and Linux operating systems with remote work products, including VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector.  According to the advisory, exploitation first requires that a malicious actor have access to the management interface of the device.  "This access can allow attackers to forge security assertion markup language (SAML) credentials to send seemingly authentic requests to gain access to protected data," the report provided.  Because password-based access to the web-based management interface of the device is required to exploit the VMware vulnerability, the NSA said using a stronger password lowers the risk of exploitation. "This risk is lowered further if the web-based management interface is not accessible from the internet," said the advisory. 

VMware first published a security advisory for the command injection vulnerability on 3 December 2020, providing credit to the NSA for reporting.  "VMware has evaluated this issue to be of 'Important' severity, with a maximum CVSSv3 base score of 7.2," the advisory said.  A patch is available.[1]

Regarding the VMware vulnerability, the NSA advised government organizations to update affected systems to the latest version as soon as possible, according to the VMware's instructions.  A workaround is also available but provides only a temporary fix until the system is fully patched.  While the alert stresses the importance for government agencies to patch and update, it does not mention enterprises.

"NSA does not publicly share details in victims of foreign malicious cyber activity," wrote the NSA, in an email to media, "Any organization that uses the effected products should take prompt action to apply the vendor-released patch."

The NSA alert is the latest warning about advanced persistent threat (APT) actors exploiting high-profile vulnerabilities that have been recently disclosed and patched.   In October 2020, the US Cybersecurity and Infrastructure Security Agency (CISA) released a statement saying hackers exploited a Netlogon flaw to attack government networks.  Prior to the attack, patches had already been released for two of the flaws: Netlogon and a Fortinet VPN vulnerability.  Netlogon was a critically rated flaw, rated the maximum CVSS severity of 10, and had already been exploited in the wild, yet it remained unpatched on many systems, leaving it open to threats.

Red Sky Alliance has been tracking cyber criminals for years and we believe this warning should be taken.  Throughout our research we have painfully learned through our clients that the installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success, yet woefully not enough.  Our current tools provide a valuable look into the underground, where malware like all the different variants of malware are bought and sold and help support current protections with proactive underground indicators of compromise.  Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.

Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.  

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com  

Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949

 

 

[1] https://searchsecurity.techtarget.com/news/252493270/Russian-state-sponsored-hackers-exploit-VMware-vulnerability

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!