The National Security Agency says that Russian state hackers are compromising multiple VMware systems in attacks that allow the hackers to install malware, gain unauthorized access to sensitive data, and maintain a persistent hold on widely used remote work platforms.
The in-progress attacks are exploiting a security bug that remained unpatched until last Thursday, the agency reported on Monday. CVE-2020-4006, as the flaw is tracked, is a command-injection flaw, meaning it allows attackers to execute commands of their choice on the operating system running the vulnerable software. These vulnerabilities are the result of code that fails to filter unsafe user input such as HTTP headers or cookies. VMware patched CVE-2020-4006 after being tipped off by the NSA.
A hacker’s Holy Grail
Attackers from a group sponsored by the Russian government are exploiting the vulnerability to gain initial access to vulnerable systems. They then upload a Web shell that gives a persistent interface for running server commands. Using the command interface, the hackers are eventually able to access the active directory, the part of Microsoft Windows server operating systems that hackers consider the Holy Grail because it allows them to create accounts, change passwords, and carry out other highly privileged tasks.
“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,” NSA officials wrote in Monday’s cybersecurity advisory.
For attackers to exploit the VMware flaw, they first must gain authenticated password-based access to the management interface of the device. The interface by default runs over Internet port 8443. Passwords must be manually set upon installation of software, a requirement that suggests administrators are either choosing weak passwords or that the passwords are being compromised through other means.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware said in an advisory published on Thursday. “This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”
The active attacks come as large numbers of organizations have initiated work-from-home procedures in response to the COVID-19 pandemic. With many employees remotely accessing sensitive information stored on corporate and government networks, software from VMware plays a key role in safeguards designed to keep connections secure.
The command-injection flaw affects the following five VMware platforms:
- VMware Access 3 20.01 and 20.10 on Linux
- VMware vIDM 5 3.3.1, 3.3.2, and 3.3.3 on Linux
- VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
- VMware Cloud Foundation 4.x
- VMware vRealize Suite Lifecycle Manager 7 8.x
People running one of these products should install the VMware patch as soon as possible. They should also review the password used to secure the VMware product to ensure it’s strong. Both the NSA and VMware have additional advice for securing systems at the links above.
Monday’s NSA advisory didn’t identify the hacking group behind the attacks other than to say it was composed of “Russian state-sponsored malicious cyber actors.” In October, the FBI and the Cybersecurity and Infrastructure Security Agency warned that Russian state hackers were targeting the critical Windows vulnerability dubbed Zerologon. That Russian hacking group goes under many names, including Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.
Post updated to correct affected products.