The U.S. National Security Agency has released an advisory detailing how Russian state-sponsored hackers are exploiting a vulnerability in VMware products and accessing protected data on affected systems.
According to Monday’s advisory, the attackers are exploiting a vulnerability in VMware Access and VMware Identity manager products, then accessing “protected data and abusing federated authentication.”
Products affected are the VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector, according to the NSA.
The NSA says credentials to the web-based management interface of the device is required to exploit the vulnerability.
If a cyber actor can compromise credentials, they can forge security assertion markup language (SAML) credentials to send what looks like authentic requests to gain access to protected data, the NSA says.
VMware has released a patch for the Command Injection Vulnerability, and organizations – particularly in government – running affected systems should patch immediately.
“The risk is lowered further if the web-based management interface is not accessible from Internet,” the NSA says.
Read Next: More U.S. Hospitals Might Fall Victim to Russian Cyber Attacks
The following products are affected:
- VMware Access®3 20.01 and 20.10 on Linux®4
- VMware vIDM®5 3.3.1, 3.3.2, and 3.3.3 on Linux
- VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
- VMware Cloud Foundation®6 4.x
- VMware vRealize Suite Lifecycle Manager®7 8.x
Here’s more from the NSA:
The exploitation (T11908 ) via command injection (T1059) led to installation of a web shell (T1505.003) and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft®9 Active Directory Federation Services (ADFS) (T1212), which in turn granted the actors access to protected data (TA0009).
It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources. If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication.
There are several workarounds, and this activity can be blocked. For more information on mitigation and how to detect a possible exploitation, read the NSA’s advisory.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply