Russian State-Sponsored Malicious Cyber Actors Exploit Known Vulnerability in Virtual Workspaces

NSA Infographic (pdf) is here

Full Advisor (pdf) is here

Here is an excerpt

Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace ONE Access Using Compromised Credentials

Summary

Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware®1 Access and VMware Identity Manager2 products [1], allowing the actors access to protected data and abusing federated authentication. VMware released a patch for the Command Injection Vulnerability captured in CVE-2020-4006 on December 3rd 2020. NSA encourages National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to prioritize mitigation of the vulnerability on affected servers.

Password-based access to the web-based management interface of the device is required to exploit the vulnerability, so using a strong and unique password lowers the risk of exploitation. The risk is lowered further if the web-based management interface is not accessible from Internet. The vulnerability affects the following products [2]:

  • VMware Access®3 20.01 and 20.10 on Linux®4
  • VMware vIDM®5 3.3.1, 3.3.2, and 3.3.3 on Linux
  • VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
  • VMware Cloud Foundation®6 4.x
  • VMware vRealize Suite Lifecycle Manager®7 8.x

The exploitation (T11908) via command injection (T1059) led to installation of a web shell (T1505.003) and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft®9 Active Directory Federation Services (ADFS) (T1212), which in turn granted the actors access to protected data (TA0009). It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources. If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication [3] [4].

Mitigation Actions
Patch

Read more here (pdf) in the full NSA Cybersecurity Advisory