Russian hackers are exploiting critical VMware flaws

The vulnerabilities were patched last week, but the NSA has uncovered details of active exploitation

Abstract silhouette of a computer hacker in front of a Russian flag

State-backed Russian cyber criminals are actively exploiting a recently-patched vulnerability in a series of VMware products in order to access sensitive corporate data.

VMware had previously warned its customers about a critical command injection flaw in a number of its products, including Workspace One Access and Identity Manager in late November. Although the bug was considered severe, with a rating of 9.1 on the CVSS threat severity scale, a patch wasn’t available at the time and was only released on 3 December. 

Hackers operating on behalf of the Russian state, however, have been actively exploiting the vulnerability to access data on targeted systems, according to an advisory issued by the US National Security Agency (NSA).

“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,” the advisory said.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”

Beyond the wider business community, the NSA has stressed the need for organisations involved in national defence and security to apply VMware’s patch as soon as possible, or implement workarounds until updates are feasible. The advisory also suggests that organisations review and harden their configurations as well as the monitoring of federated authentication providers.

Beyond Workspace One Access and Identity Manager, the products affected include Access Connector and Identity Manager Connector, with specific product versions outlined in VMware’s original security advisory.

The vulnerability, tagged CVE-2020-4006, essentially allows hackers to seize control of vulnerable machines. They would first need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

As such the NSA has recommended that network administrators limit the accessibility of the management interface on servers to only a small set of known systems, and block it from direct internet access. Critical portions of this activity can also be blocked by disabling the firm’s configurator service.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

22 Apr 2021
What is hacktivism?
hacking

What is hacktivism?

22 Apr 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021
UK’s IoT security regulation will also include smartphones
Internet of Things (IoT)

UK’s IoT security regulation will also include smartphones

21 Apr 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021