{"id":41633,"date":"2020-12-08T12:29:19","date_gmt":"2020-12-08T12:29:19","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=a090a6c25c3debceea5ebbf3aa1e5541"},"modified":"2020-12-08T12:29:19","modified_gmt":"2020-12-08T12:29:19","slug":"russian-hackers-are-exploiting-critical-vmware-flaws","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/russian-hackers-are-exploiting-critical-vmware-flaws\/","title":{"rendered":"Russian hackers are exploiting critical VMware flaws"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
8 Dec, 2020<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

State-backed Russian\u00a0cyber criminals<\/a>\u00a0are actively exploiting a recently-patched vulnerability in a series of VMware products in order to access sensitive corporate data.<\/p>\n

VMware had previously\u00a0warned its customers about a critical command injection flaw<\/a>\u00a0in a number of its products, including Workspace One Access and Identity Manager in late November. Although the bug was considered severe, with a rating of\u00a09.1 on the CVSS threat severity scale, a patch wasn\u2019t available at the time and was only released on 3 December.\u00a0<\/p>\n

<\/p>\n

\nHackers operating on behalf of the Russian state, however, have been actively exploiting the vulnerability to access data on targeted systems, according to an advisory issued by the\u00a0US National Security Agency (NSA)<\/a>.<\/p>\n

\u201cThe exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,\u201d the advisory said.<\/p>\n

\u201cIt is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.\u201d<\/p>\n

Beyond the wider business community, the NSA has stressed the need for organisations involved in national defence and security to\u00a0apply VMware\u2019s patch<\/a>\u00a0as soon as possible, or implement workarounds until updates are feasible. The advisory also suggests that organisations review and harden their configurations as well as the monitoring of federated authentication providers.<\/p>\n

Beyond Workspace One Access and Identity Manager, the products affected include Access Connector and Identity Manager Connector, with specific product versions outlined in\u00a0VMware\u2019s original security advisory<\/a>.<\/p>\n

The vulnerability, tagged CVE-2020-4006, essentially allows hackers to seize control of vulnerable machines. They would first need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.<\/p>\n

As such the NSA has recommended that network administrators limit the accessibility of the management interface on servers to only a small set of known systems, and block it from direct internet access. Critical portions of this activity can also be blocked by disabling the firm\u2019s configurator service. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Keumars Afifi-Sabet<\/p>\n

8 Dec, 2020 <\/p>\n

State-backed Russian\u00a0cyber criminals\u00a0are actively exploiting a recently-patched vulnerability in a series of VMware products in order to access sensitive corporate data.
\nVMware had previou…<\/p>\n","protected":false},"author":433,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-41633","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/433"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=41633"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41633\/revisions"}],"predecessor-version":[{"id":41634,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41633\/revisions\/41634"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=41633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=41633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=41633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}