NSA says Russian state hackers are using a VMware flaw to search networks | GeekComparison

Russian flag in the wind.
Enlarge / This image was the profile banner of one of the accounts allegedly operated by the Internet Research Agency, the organization that ran social media “influence campaigns” in Russia, Germany, Ukraine and the US in 2009.

A Russian troll

The National Security Agency says Russian state hackers compromise multiple VMware systems with attacks that allow the hackers to install malware, gain unauthorized access to sensitive data and maintain a lingering hold on widely used remote work platforms.

The ongoing attacks exploit a security bug that was unpatched until last Thursday, the agency reported Monday. CVE-2020-4006, as the error is tracked, is a command injection error, meaning that attackers can execute commands of their choice on the operating system running the vulnerable software. These vulnerabilities are the result of code not filtering unsafe user input, such as HTTP headers or cookies. VMware patched CVE-2020-4006 after being tipped off by the NSA.

The holy grail of a hacker

Attackers from a Russian government-sponsored group are exploiting the vulnerability to initially gain access to vulnerable systems. They then upload a web shell that provides a permanent interface for running server commands. Using the command interface, the hackers eventually gain access to the active directory, the part of the Microsoft Windows server operating systems that hackers consider the Holy Grail, as it allows them to create accounts, change passwords, and perform other highly privileged tasks.

“The command injection exploit led to the installation of a web shell and subsequent malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn allowed the actors to access protected data. NSA officials wrote in Monday’s cybersecurity advisory.

To exploit the VMware flaw, attackers must first gain authenticated, password-based access to the device’s management interface. By default, the interface runs through Internet port 8443. Passwords must be set manually when installing software, a requirement that suggests administrators either choose weak passwords or the passwords have been compromised in some other way.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator administrator account can execute commands with unrestricted privileges on the underlying operating system,” VMware said in an advisory published Thursday. “This account is internal to the affected products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”

The active attacks come as a large number of organizations have initiated work-from-home procedures in response to the COVID-19 pandemic. Since many employees have remote access to sensitive information stored on corporate and government networks, VMware software plays a key role in safeguards designed to keep connections secure.

The command injection error affects the following five VMware platforms:

  • VMware Access 3 20.01 and 20.10 on Linux
  • VMware vIDM 5 3.3.1, 3.3.2 and 3.3.3 on Linux
  • VMware vIDM connector 3.3.1, 3.3.2, 3.3.3, 19.03
  • VMware Cloud Foundation 4.x
  • VMware vRealize Suite Lifecycle Manager 7 8.x

People using any of these products should install the VMware patch as soon as possible. They should also review the password used to secure the VMware product to ensure it is strong. Both the NSA and VMware have additional advice for securing systems at the links above.

Monday’s NSA advisory did not identify the hacking group behind the attacks, other than to say it consisted of “Russian state-sponsored malicious cyber actors.” In October, the FBI and the Cybersecurity and Infrastructure Security Agency warned that Russian state hackers were targeting the critical Windows vulnerability called Zerologon. That Russian hacking group goes by many names, including Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.

Post updated to correct affected products.

Leave a Comment