NSA: Russian State Hackers Exploit New VMware Vulnerability To Steal Data

The National Security Agency (NSA) warns that Russian state-sponsored threat actors are exploiting a recently patched VMware vulnerability to steal sensitive information after deploying web shells on vulnerable servers.

“NSA encourages National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to prioritize mitigation of the vulnerability on affected servers,” the US Defense Department’s intelligence agency said.

When asked to provide more information on the targets compromised in these attacks, the NSA told BleepingComputer that it “does not publicly share details on victims of foreign malicious cyber activity.”

“Any organization who uses the affected products should take prompt action to apply the vendor released patch,” the NSA urged.

The NSA also refrained from providing further information about the start date of these attacks saying that “[w]e don’t provide specifics on the source of any particular information so we can continue to fulfill our vital role for the nation, including the development and sharing  of technical guidance like this report.”

Also Read: Limiting Location Data Exposure: 8 Best Practices

Security updates and workaround available

VMware released security updates to address the security bug on December 3rd after publicly disclosing the vulnerability two weeks ago and providing a temporary workaround that fully removes the attack vector and prevents exploitation.

CVE-2020-4006 was initially rated as a critical severity vulnerability but VMware has lowered its maximum severity rating to ‘Important’ after releasing a patch and sharing that exploitation requires a “valid password for the configurator admin account.”

“This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006,” VMware explains.

The full list of VMware product versions affected by the zero-day includes:

• VMware Workspace One Access 20.01, 20.10 (Linux)
• VMware Identity Manager (vIDM) 3.3.1 up to 3.3.3 (Linux)
• VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2 (Linux)
• VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3 / 19.03.0.0, 19.03.0.1 (Windows)
• VMware Cloud Foundation 6 4.x
• VMware vRealize Suite Lifecycle Manager 7 8.x

Admins who can’t immediately deploy the patch can use the temporary workaround to prevent CVE-2020-4006 exploitation. Information on how to implement and revert the workaround on Linux and Windows servers are available HERE.

“This workaround should only be a temporary fix until able to fully patch the system,” the NSA said. “In addition, review and harden configurations and monitoring of federated authentication providers.”

Exploitation enables web shell deployment and data theft

In attacks exploiting CVE-2020-4006, the NSA observed the threat actors connecting to the exposed web-based management interface of devices running vulnerable VMware products and infiltrating organizations’ networks to install web shells using command injection.

After deploying the web shells, the attackers steal sensitive data using SAML credentials to gain access to Microsoft Active Directory Federation Services (ADFS) servers.

Successful exploitation of the vulnerability tracked as CVE-2020-4006 also enables attackers to execute Linux commands on compromised devices which could help them gain persistence.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” the NSA explains.

Also Read: 10 Practical Benefits of Managed IT Services

“Otherwise, SAML assertions could be forged, granting access to numerous resources. If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication.”

Detecting these attacks using network-based indicators is not feasible since the malicious activity is carried out after connecting to the web management interface via TLS encrypted tunnels.

However, ‘exit’ statements followed by 3-digit numbers like ‘exit 123’ found in the /opt/vmware/horizon/workspace/logs/configurator.log on servers are an indication that exploitation activity may have occurred on the device.

“Other commands along with encoded scripts may also be present. If such logs are detected, incident response actions should be followed,” the NSA added. “Additional investigation of the server, especially for web shell malware, is recommended.”

Lowering the risk of successful attacks

This vulnerability’s security risk is lowered by the fact that this password has to be set at the time of deployment — choosing a unique and strong password is highly advised to

Restricting access to the web-based management interface for the affected products further reduces the risk of a successful attack.

The agency recommends in the advisory [PDF] that “NSS, DoD, and DIB network administrators limit the accessibility of the management interface on servers to only a small set of known systems and block it from direct Internet access.”

When a compromise is suspected, the NSA advises checking server logs for any exploitation signs, checking and updating authentication service configurations, and implementing multi-factor authentication for security credential services.

Not pointing fingers

The NSA did not name the Russian-backed APT group exploiting the VMware command injection vulnerability in ongoing attacks.

However, at least one such hacking group has been actively targeting the networks of US state, local, territorial, and tribal (SLTT) government organizations during the last few months.

The FBI and DHS-CISA said in a joint advisory published in October that Russian state-sponsored hacking group Energetic Bear has breached and exfiltrated data from US government networks starting with September 2020.

DHS-CISA provides more details on historical Russian malicious cyber activity targeting US organizations (tracked as GRIZZLY STEPPE).