A vulnerability in VMWare has prompted a warning that companies—and government agencies—need to patch as soon as possible.
Throughout 2020, an unprecedented portion of the world’s office workers have been forced to work from home as a result of the Covid-19 pandemic. That dispersal has created countless opportunities for hackers, who are taking full advantage. In an advisory today, the National Security Agency said that Russian state-sponsored groups have been actively attacking a vulnerability in multiple enterprise remote-work platforms developed by VMware. The company issued a security bulletin on Thursday that details patches and workarounds to mitigate the flaw, which Russian government actors have used to gain privileged access to target data.
Institutions have scrambled to adapt to remote work, offering employees secure remote access to enterprise systems. But the change comes with different risks and has created new exposures versus traditional office networks. Flaws in tools like VPNs have been especially popular targets, since they can give attackers access to internal corporate networks. A group of vulnerabilities affecting the Pulse Secure VPN, for example, were patched in April 2019, but US intelligence and defense agencies like the Cybersecurity and Infrastructure Security Agency issued warnings in October 2019, and again in January and April, that hackers were still attacking organizations—including government agencies— that had not applied the patch.
On Thursday, CISA issued a brief advisory encouraging administrators to patch the VMware vulnerability immediately. “An attacker could exploit this vulnerability to take control of an affected system,” the agency said.
In addition to warning the general public about the VMware bug, the NSA emphasized repeatedly that it “encourages National Security System (NSS), Department of Defense (DOD), and Defense Industrial Base (DIB) network administrators to prioritize mitigation of the vulnerability on affected servers.”
“It’s one of those things where the messenger is notable as well as the message,” says Ben Read, senior manager of cyberespionage analysis at the threat intelligence firm FireEye. “It’s a remote code execution vulnerability, it’s something that people definitely want to patch, but these things happen. So the fact that the NSA wanted to make a big deal about it is likely based on the fact that it was being used by Russia’s folks in the wild and presumably against a target that the NSA is worried about.”
The affected VMware products all relate to cloud infrastructure and identity management, including VMware Workspace One Access, its predecessor, VMware Identity Manager, and VMware Cloud Foundation. VMware said in a statement that “upon notification of the issue, VMware has worked to assess this issue, and has provided the appropriate updates and patches to mitigate this issue.”
The company noted in its advisory that it rates the flaw’s severity as “Important,” a step below “Critical,” because attackers must have access to a web-based, password-protected management interface before they can exploit the vulnerability. The NSA points out that securing this interface with a strong, unique password, or setting it up so it isn’t accessible from the public internet, are both steps that can reduce the risk of attack. Fortunately, VMware did not design the affected systems with the option to use default passwords that would be trivially easy for attackers to guess.
Once a hacker has access, they can exploit the vulnerability to manipulate authentication requests called “SAML assertions” (from Security Assertion Markup Language, an open standard) as a way of burrowing deeper into an organization’s network. And they can use that position to access other servers that contain potentially sensitive information.
FireEye’s Read notes that while the bug does first require a legitimate password to exploit, that’s not an insurmountable hurdle, particularly for Russian hackers who have a known facility with credential theft techniques like password spraying. “I would guess the NSA is writing something because they have seen it work, even if it is in theory not the worst vulnerability out there,” he says.
When so many employees are working remotely, it can be difficult to use traditional network monitoring tools to flag potentially suspicious behavior. But the NSA points out that vulnerabilities like the VMware bug present a unique challenge regardless, because the malicious activity would all happen in encrypted connections to the web interface that aren’t distinguishable from legitimate logins. The NSA recommends instead that organizations comb their server logs for what are known as “exit statements” that can indicate suspicious activity.
“Regularly monitor authentication logs for anomalous authentications, especially successful ones that leverage established trusts but that come from unusual addresses or contain unusual properties,” the NSA wrote on Monday.
The NSA did not elaborate on its observation that Russian state-backed actors have been exploiting the VMware bug—including which of Russia’s many dedicated groups is implicated—but the Kremlin’s hackers have been active throughout 2020 in the US, compromising government, energy sector, and other critical infrastructure networks as well as campaign targets in the lead-up to the presidential election.
FireEye’s Read points out, though, that there have been fewer public revelations of zero-day attacks used by Russian state hackers in the past couple of years, with Kremlin-backed groups favoring publicly known tools. The NSA’s findings indicate that the groups are still open to developing their own exploits.
All Rights Reserved for Lily Hay Newman